Home » Computer Guides » PC Security Guides » How To Use Microsoft BitLocker.

How To Use Microsoft BitLocker.

By

BitLocker is a feature of the Pro versions of Windows 10 & 11 that will encrypt all the data (files and folders) on your computer. Unfortunately it’s not available for Home versions.

When BitLocker is enabled on a drive, all the information on that drive is encrypted until it’s unlocked. So in the unfortunate event that you lose, your PC, at least no-one can access your data.

You can set BitLocker to unlock the drive using the Trusted Platform Module (TPM) on your computer, or you can add 2 factor authentication using both the TPM and a PIN number.

If you don’t have the Pro version of Windows, or you’re just looking to protect a single folder, then click here How To Password Protect And Encrypt A File Or Folder On Your PC.

On This Page
  1. How To Enable BitLocker On Your Computer.
  2. This Device Cannot Use A Trusted Platform Module Error Message.
  3. How To Setup BitLocker To Require A PIN.
Table Of Contents
  1. How To Enable BitLocker On Your Computer.
  2. This Device Cannot Use A Trusted Platform Module Error Message.
  3. How To Setup BitLocker To Require A PIN.
How to use BitLocker.

How To Enable BitLocker On Your Computer.

BitLocker is usually disabled by default. To enable it in Windows 10 & 11, click the Start button and then type “bitlocker“. Click on Manage BitLocker (Control Panel).

Searching for Bitlocker from the Windows 10 Start menu.
Windows 10.
Searching for BitLocker from the Windows 11 Start menu.
Windows 11.

BitLocker Drive Encryption.

If you’ve only got 1 hard drive in your computer, then you’ll see it marked as the “Operating system drive”, usually it’ll have the drive letter C:

Extra hard drives (or partitions) will be shown as “Fixed data drives”. Your fixed data drives can also be encrypted.

BitLocker is currently turned off for the system drive.
BitLocker is turned off on the system drive.
Fixed data drives are indicated.
If you have more than 1 hard drive in your PC, they will be shown as Fixed Data Drives.

Enabling BitLocker On The System Drive.

For this guide, we’ll encrypt the system drive (drive C:) since that’s the one drive that everyone will have.

Encrypting the fixed data drives is exactly the same process.

Click “Turn BitLocker on”.

The "Turn BitLocker on" link is indicated beside the system drive of the PC.
Turn BitLocker on.

Backup Your Recovery Key.

In the event that you can’t access an encrypted drive for some reason, you can use a recovery key to gain access to your files. You’ll have 3 options of where to save the recovery to.

  1. Your Microsoft Account – If you’re signed in to your computer with your Microsoft account, then this isn’t a bad option, but you should consider whether you’d be able to get into your MS account if you can’t start your PC. I’m not so keen on this option.
  2. Save To A File – For me, this is the best option. You’ll need to have a USB flash drive handy. This is the option we’ll use in this demo.
  3. Print The Recovery Key – Another good option if you’ve got a printer.

Plug in your USB drive and then click “Save to a file”. Then select your USB drive and save the recovery key.

Save BitLocker recovery key to a file is selected.
The best option is to save the recovery key to a USB flash drive.
Saving a BitLocker recovery key to a USB flash drive.
Select your USB flash drive and click the Save button.

Choose How Much Of Your Drive To Encrypt.

The next screen will ask you “How much of your drive should BitLocker encrypt”? You’ll have two choices.

  1. Encrypt used disk space only – This is the fastest option since it only encrypts the data on your computer. As you add more data (more files and folders) that will automatically be encrypted “on the fly”.
  2. Encrypt entire drive – This option will encrypt the whole of the drive, regardless of whether or not it holds any data. With this option there isn’t any further encryption needed because everything area of your hard drive is already encrypted.

The best option is the second one “Encrypt the entire drive”.

That’s because although space on a hard can be marked as empty, it could still have data in it.

We all know by now that when you delete a file, it isn’t removed from the hard drive.

So if at all possible, encrypt the whole drive. The only downside to this is the amount of time it will take, especially if your have a traditional mechanical hard drive.

Encrypt entire drive is selected and the Next button is marked.
You can choose to encrypt just your data or the entire drive.

Which Encryption Mode Should BitLocker Use.

BitLocker can use one of two different encryption modes and you’ll be asked to choose which one you would like BitLocker to use.

Select the “New encryption mode” and click the Next button.

The Compatible Mode is an option for removable drives that will be loaded into older computers.

Since we are currently encrypting this computer’s system drive, that’s not really going to be an issue for home computer users.

New encryption mode is selected.
Unless you intend moving encrypted drives between PCs, go with the New Encryption Mode.

Run The System Check.

Always run the BitLocker system check before starting the encryption process. It isn’t usually selected by default, You have to select it yourself.

What you’re about to do is to encrypt all your files and folders (all your documents, pictures, videos etc). If something is wrong in your setup, then at the click of a button, you’ve lost everything. So run the test first.

Select “Run BitLocker system check” and click the Continue button.

You’ll need to restart your computer.

During the restart, BitLocker will check to see if it can access and read your computer’s TPM and also the USB drive where you saved your recovery key to.

If either of these fail, then BitLocker won’t begin the encryption process and your data will be saved’

"Run BitLocker system check" is selected.
Run the test. It’s really no fun at all finding out that you’re locked out of your own computer.

Assuming all is well, when your PC restarts BitLocker will automatically begin the encryption process. You should see a popup notification appear.

If you didn’t see the notification, you can check that it’s still working by clicking the Start button and typing “bitlocker” , then click Manage BitLocker.

"BitLocker is encrypting the drive" notification that appears on the desktop.
After the restart, you’ll see a popup informing you that BitLocker is encrypting the drive.
Encryption progress.
You can check that it’s still working by opening the BitLocker settings page.

Save Your Recovery Key USB Drive.

While your drive is being encrypted you can remove the USB drive that you used to save the recovery key on to. Keep it somewhere safe. You should assume that you will need it. so be sure to remember where you’ve stored it.

This Device Cannot Use A Trusted Platform Module Error Message.

After turning on BitLocker, you might see this error message, “Starting BitLocker – This device cannot use a Trusted Platform Module”. What it’s saying is that your computer doesn’t have a TPM.

That’s probably not true. If your computer came with Windows 10 pre installed, then you probably do have a TPM fitted, but it’s most likely disabled in the motherboard BIOS/UEFI.

It shouldn’t be a problem if your computer came with Windows 11 pre installed since Windows 11 requires a TPM to be present.

To enable the Trusted Platform Module you’ll need to enter your computer’s BIOS/UEFI.

You may need to refer to your manufacturer’s instructions to find the setting that you need.

The easiest way to access your computer BIOS/UEFI.

BitLocker cannot start because there isn't a TPM.
This computer doesn’t appear to have a TPM fitted, but it might have one that’s been disabled. It’s worth checking.

Running BitLocker Without A TPM.

If you can’t enable the TPM on your computer, or maybe you really don’t have one, then you can still use BitLocker. How To Enable BitLocker Without A TPM.

Sign Up For Our News Email

Keeping up to date.

If you haven’t already, then consider subscribing to the At Home Computer newsletter.

You don’t need to create any sort of account, so you won’t be asked for passwords etc.

How To Setup BitLocker To Require A PIN.

By default, BitLocker doesn’t require you to enter a password or PIN to unlock your computer. The process is fully automated.

When you turn on your computer, BitLocker queries the TPM for the unlock code, the TPM supplies it, BitLocker decrypts the drive and the computer starts up. No user interaction is needed. In fact you wouldn’t know that the drive is encrypted at all.

That’s not what most people want on their home computers.

In the standard setup, BitLocker is protecting the data on the hard drive if the is removed from the computer. But on a home computer, you’re not likely to lose just the hard drive. Most likely, you’ll lose the whole computer including the TPM.

That in turn means that when whoever finds your PC turns it on, BitLocker will duly unencrypt the drive and all your data will be exposed. Not really much point in encrypting it in the first place.

Require a PIN to be entered before BitLocker decrypts your drive.

Windows 11 desktop.
Even though BitLocker is turned on, this computer boots up straight to the desktop. You could access any file or folder on the machine.
"BitLocker. Enter the PIN to unlock this drive" screen
But if you add a PIN, then BitLocker will require you to enter it before unlocking the drive. Even if someone has your PC, they can’t access your files without the PIN.

How To Enable A Pre Boot BitLocker PIN.

To enable a start up PIN, you’ll need to change a setting in the Group Policy editor for your computer and then add the PIN using Command Prompt. Although it’s not difficult to do, Microsoft could have made this a lot easier.

First you’ll need to force BitLocker to require a PIN at startup. To do that open the Run Command by pressing The Windows key and the letter R on your keyboard.

In the Run box, type “gpedit.msc

Run dialogue box. gpedit.msc has been entered.
Enter gpedit.msc and click the OK button.

Group Policy Editor.

If you’re already familiar with the Group Policy Editor, then this is where you need to head for – Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives

If none of that makes any sense to you, let me guide you through the Group Policy Editor.

You need to get to a folder called Operating System Drives. To do that, we’ll be using the folder tree in the left hand panel of the Group Policy Editor.

Group Policy Editor folder tree is indicated.
Group Policy Editor.

Open Computer Configuration by clicking on the small arrowhead beside it.

You’ll see 3 folders appear. Click the arrowhead beside the Administrative Templates folder to expand it.

How to use BitLocker
Click the arrowhead beside Computer Configuration.
Group policy editor folder tree expanded.
Then click the arrowhead beside Administrative Templates.

After you’ve expanded the Administrative Templates folder, expand the Windows Components folder.

Then expand the BitLocker Drive Encryption folder.

And finally left click once on the Operating System Drives folder.

Operating system drives folder highlighted in the Group Policy Editor.
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives

Require Additional Authentication At Startup.

After you’ve clicked on the Operating System Drives folder, you’ll see a whole bunch of settings appear in the right hand panel of the Group Policy Editor.

Double left click on ” Require Additional Authentication At Startup”.

On the Require Additional Authentication At Startup page, select Enabled.

Require Additional Authentication At Startup option is marked in Group Policy Editor for Windows 11.
Double click Require Additional Authentication At Startup.
Additional authentication is enabled.
Then select Enabled.

With Additional Authentication enabled, move to the lower left panel.

Change “Configure TPM startup PIN” to be “Require startup PIN with TPM”.

Click the OK button and close the Group Policy Editor.

Require startup PIN with TPM is selected.
Require startup PIN with TPM.

BitLocker With A PIN/Password.

In effect, what you’ve just done is to tell BitLocker that it needs to have a correct PIN/password entered as well as having the TPM present.

Adding Your PIN.

This next step is the tricky bit. You’ve told BitLocker to require a PIN to be entered before it unlocks the drive, but now you have to enter the PIN that it should use.

Your PIN should be at least 6 numbers long. Before you start, write down the PIN you want to use to unlock your computer.

To add the PIN, start Command Prompt with Administrator rights.

Click the Start button and type cmd.”

Right click Command Prompt (Admin).

On the menu, left click Run As Administrator.

Click Yes at the UAC prompt.

Run Command Prompt as Administrator
Launch Command Prompt with Administrator rights.

When Command Prompt opens, enter this command and then press the Enter key on your keyboard.

manage-bde -protectors -add c: -TPMAndPIN

Type it in exactly as it appears here, or better still, copy and paste it.

manage-bde -protectors -add c: -TPMAndPIN entered into a command prompt.
manage-bde -protectors -add c: -TPMAndPIN

Type in your chosen PIN number. Type it carefully.

As you type in your PIN, you’ll notice that no numbers appear, no asterisks or stars appear. In fact the flashing cursor doesn’t even move at all. You might be tempted to think that something has gone wrong. It hasn’t. Each key press is being recorded, so be careful.

Type in your PIN and then press the Enter key. Remember it should be at least 6 numbers long.

You’ll need to re-type your PIN and press Enter again.

How to use BitLocker with a PIN.
Type your PIN number and press Enter. Note that the flashing cursor won’t move as you type.
PIN confirmation in command prompt.
Re type your PIN and press Enter.

If all went well, you should finish with this final message.

From now on, whenever you start or re-start your computer, you’ll need to provide the BitLocker PIN that you’ve just added.

PIN entered successfully.
PIN and TPM.

Summary.

BitLocker protects your privacy by encrypting the data on your hard disk. But that’s a two edged sword. If something goes wrong, then all your files are encrypted. You won’t be able to access your files. So keep your recovery key safe.

Make backup copies of your recovery key.

If you saved the recovery key to USB drive, copy it to another computer or device. Print it out (it’s just a simple text document). Email it to yourself. Store it online in your MS account or Google Drive. Have several ways to access the key that don’t rely on the encrypted computer.

BitLocker is a powerful encryption tool for your PC and its data. You can easily get yourself locked out of your own machine. My advice would be to try it out first on a virtual machine. How To Install Windows As A Virtual Machine Using VMware Player.

At Home Computer Guides.

Anti Virus Audio And Video Computer Backups Google Chrome Microsoft Edge VirtualBox VMware Workstation Player Windows 10 Windows 11

Scroll to Top