I thought I'd pass around what I've managed to pull off. I was able to use Vista's BitLocker to encrypt not only the C: drive, but also a second partition as well. I built a machine with 2 partitions, one for the OS/Apps and one for the Data. I then encrypted the C: drive with BitLocker and made sure that it was working. Sure enough, I had to use the USB key to boot the system. Now, Microsoft has been stating that BitLocker will only encrypt the system drive, but that's only the case when you're using the GUI. I found that by usingBitLocker's command line toolI was able to encrypt the data drive I set up. To test it, I booted using a basic WinPE disk. I was able to directly access the un-encrypted boot partition (nothing shows up on it though), but I could not get to anything on either the OS-Apps drive nor the Data drive. I get a message stating, "The volume does not contain a recognized file system." Booting Vista up again, the data drive was not immediately unlocked, and I had to manually unlock it by providing the key USB drive. So, even if you have the startup key to boot the system, if you do not have the key specifically for the data drive you're out of luck. I can see the merits in this. I suppose a master USB drive will all of the startup keys would allow technicians access to troubleshoot systems while keeping the user's data secure. I did find an "Automatic Unlock" parameter, but I haven't played with that yet. I imagine that it will trigger BitLocker to look for the key on the USB drive by default. To use the command line tool, I had to first do a "runas" to run it as administrator. Even though my account is a member of the admins group on the box, the command line wouldn't work for me. In the System32 folder you'll find the BitLocker command line tool. "cscript manage-bde.wsf -on E: -RecoveryPassword -RecoveryKey G:\ -StartupKey G:\" This encrypted my E: drive, created a recovery password, and stored it along with the key onto my USB thumbdrive G:.

Very cool, i heard about that at tech-ed. always nice to know multiple partitions can bet encrypted like that...........

You can use Bitlocker to encrypt other drives but whay not just use efs to protect the secondary drives ( This will be the supported solution) That's because by defaultBitLocker protects only the volume on which the Windows Os is installed. So you can use EFS(Encrypting File system)to protect data on other volumes, and because EFS stores its encryption keys on the OS partition, all the EFS-protected data is more secure as a result.

You can use Bitlocker to encrypt other drives but whay not just use efs to protect the secondary drives ( This will be the supported solution) That's because by defaultBitLocker protects only the volume on which the Windows Os is installed. So you can use EFS(Encrypting File system)to protect data on other volumes, and because EFS stores its encryption keys on the OS partition, all the EFS-protected data is more secure as a result.

You may want to keep in mind that this is unsupported. "Unsupported" does not mean that it will not work, but it does mean that it is not tested by Microsoft and that, therefore, there is no guarantee that your data will not be corrupted. Byron HynesWindows Server DivisionMicrosoft Corporation

I would see a value in having to possess a second USB drive to unlock the data drive. While EFS would be workable, in a high security environment I would opt for bitlocker on the data drive.

Has anyone been able to get this to work and escrow the key in AD? My organization has disallowed USB drives so we can't use this option.

I used the following scripts and they worked correctly. In my environment these are run manually in case our automatic processes fail:Take ownership of the TPM: ECHO OFF C: cd %systemdrive%\windows\system32 manage-bde -tpm -turnon manage-bde -tpm -o PASSWORD exit Set the TPM & PIN, encypt the C: drive: ECHO OFF C: cd %systemdrive%\windows\system32 manage-bde -tpm -turnon manage-bde -tpm -o <password> ECHO Beginning Encryption of C: cscript manage-bde.wsf -on C: -TPMandPIN <pin> -RecoveryPassword -SkipHardwareTest fvenotify exit Encrypt the D: with autounlock: ECHO OFF C: cd %systemdrive%\windows\system32 cscript manage-bde.wsf -on D: -rp -rk \\SERVER\SHARE cscript manage-bde.wsf -autounlock -enable D: fvenotify ECHO Encryption complete. exit