BitLocker To Go


BitLocker is a full storage volume encryption introduced with Windows Vista. But BitLocker supports local disks only.


With Windows 7 came "BitLocker To Go" which allows to encrypt hotplug drives. It comes with the Ultimate and Enterprise Edition only.


BitLocker works with a "Filter Driver" which blocks or grants access to the volume.


A hotplug volume encrypted with BitLocker comes in two different shapes. It depends on the drive's file system which one we get.


BitLocker encrypted FAT/FAT32/exFAT drives still have an unencrypted FAT file system. It contains a lot of files, most of them have the "hidden" attribute, so most users will not see them. Two files are not hidden: The autorun.inf and the BitLockerToGo.exe.

Thru the autorun.inf the BitLockerToGo.exe shall be started, otherwise you can start the BitLockerToGo.exe manually. The BitLockerToGo.exe opens an Explorer like 

window which gives read access to the BitLocker volume only.


BitLocker encrypted NTFS drives don't have this feature. On Windows without BitLocker To Go support Windows suggests to format the drives.



What USBDLM can do...



1) On Windows with support for "BitLocker To Go"


Encrypted volumes are detected as such, they get the DeviceType BitLocker, it is removed as soon as the drive is unlocked.


Remounting is done immediately, volume specific criteria do not work because the volume cannot be read yet. The BalloonTip is shown immediately too.

AutoRun events are triggered when the volume is unlocked.



2) On Windows without support for "BitLocker To Go"


"BitLocker To Go" encrypted NTFS volumes get the DeviceType BitLocker.

We can remove the drive letter to avoid the user follow Windows' suggestion to format the drive






Furthermore we can show a manually made BalloonTip which informs the user about the problem:




open="%usbdlmpath%\usbdlm.exe" -balloon -time=20000 -title="%FriendlyName%" -text1="Cannot read BitLocker encrypted volume" -icon=



"BitLocker To Go" encrypted FAT volumes have regular FAT file system, therefore they do not get the DeviceType BitLocker.


Here we can look at the presence of the BitLockerToGo.exe and execute it: