1. Home
  2. /Hands-on Labs
  3. /BitLocker To Go Lab
Feeling StupidKeyboard Layout

BitLocker To Go USB Encryption Lab

Encrypt a removable drive with BitLocker To Go, safeguard the recovery key, and validate access on another Windows device.

Lab Objectives

  • Prepare a removable USB drive for BitLocker To Go encryption.
  • Enable BitLocker, choose the appropriate protection options, and start encryption.
  • Store and test the BitLocker recovery key for disaster recovery scenarios.
  • Unlock the encrypted drive on another Windows system and verify command-line status.

Prerequisites

  • Windows 10/11 Pro, Enterprise, or Education (BitLocker is not available on Home editions).
  • Administrator privileges on the workstation.
  • USB flash drive (minimum 1 GB) with any important data backed up—the drive may be formatted.
  • Optional: a second Windows machine to test unlocking the encrypted drive.

Part 1: Prepare the USB Drive

  1. Insert the USB flash drive. Open File Explorer and note the assigned drive letter (for example, E:).
  2. Right-click the drive and choose Format…. Select exFAT (recommended for cross-platform use) or NTFS (if Windows only), then complete the format.
  3. After formatting, rename the drive to something descriptive such as SECURE_USB.

Part 2: Enable BitLocker To Go

  1. In File Explorer, right-click the USB drive and select Turn on BitLocker.
  2. When prompted, choose Use a password to unlock the drive. Enter a complex passphrase (12+ characters with mixed case, numbers, and symbols) and confirm it.
  3. Leave the smart card option disabled unless required by your environment.

Part 3: Safeguard the Recovery Key

  1. Choose to save the recovery key to a file and store it on a secure internal drive or network share (never on the USB drive itself).
  2. Optionally print the recovery key or save it to a Microsoft account for redundant storage. Record the key ID in your lab notes.
  3. Confirm you can open the recovery key file and read the 48-digit key value.

Part 4: Select Encryption Options and Encrypt

  1. Choose Encrypt used disk space only for faster setup on a new drive, or Encrypt entire drive for maximum security.
  2. Select Compatible mode if the drive may be used on older Windows versions; otherwise choose New encryption mode.
  3. Confirm settings and click Start Encrypting. Monitor the progress bar; do not remove the drive until you see the completion message.
  4. After encryption, eject and reinsert the drive to confirm BitLocker prompts for the password.

Part 5: Validate on Another Device (Optional but Recommended)

  1. Move the encrypted drive to a second Windows computer. When prompted, enter the password to unlock it.
  2. Try using the recovery key instead of the password to verify your backup works.
  3. Copy a test file onto the drive and safely remove it. Reinsert on the original machine to confirm data access.

Part 6: Review Encryption Status

  1. Open Control Panel > System and Security > BitLocker Drive Encryption. Locate the removable drive and confirm it shows as BitLocker On.
  2. Click Manage BitLocker to view options such as Back up your recovery key and Turn off BitLocker; note the recovery key ID displayed.
  3. From the BitLocker Drive Encryption window, test the Automatically unlock toggle (if appropriate) and then close the console, recording your observations.
Quick Reference
  • BitLocker console: Control Panel > System and Security > BitLocker Drive Encryption
  • Device encryption: Settings > Privacy & security > Device encryption
  • Recovery key storage: Saved as a .TXT file or printed copy for safekeeping

For enterprise deployments, automate with Group Policy (Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Removable Data Drives).

Completion Checklist
  • USB drive formatted and renamed prior to encryption.
  • BitLocker To Go enabled with a strong password.
  • Recovery key securely stored and verified.
  • Encryption status confirmed in the BitLocker Drive Encryption console.
  • Drive unlock tested on a secondary device (if available).