BitLocker is a feature of the Pro versions of Windows 10 & 11 that will encrypt all the data (files and folders) on your computer. Unfortunately it’s not available for Home versions.
When BitLocker is enabled on a drive, all the information on that drive is encrypted until it’s unlocked. So in the unfortunate event that you lose, your PC, at least no-one can access your data.
You can set BitLocker to unlock the drive using the Trusted Platform Module (TPM) on your computer, or you can add 2 factor authentication using both the TPM and a PIN number.
If you don’t have the Pro version of Windows, or you’re just looking to protect a single folder, then click here How To Password Protect And Encrypt A File Or Folder On Your PC.
How To Enable BitLocker On Your Computer.
BitLocker is usually disabled by default. To enable it in Windows 10 & 11, click the Start button and then type “bitlocker“. Click on Manage BitLocker (Control Panel).
BitLocker Drive Encryption.
If you’ve only got 1 hard drive in your computer, then you’ll see it marked as the “Operating system drive”, usually it’ll have the drive letter C:
Extra hard drives (or partitions) will be shown as “Fixed data drives”. Your fixed data drives can also be encrypted.
Enabling BitLocker On The System Drive.
For this guide, we’ll encrypt the system drive (drive C:) since that’s the one drive that everyone will have.
Encrypting the fixed data drives is exactly the same process.
Click “Turn BitLocker on”.
Backup Your Recovery Key.
In the event that you can’t access an encrypted drive for some reason, you can use a recovery key to gain access to your files. You’ll have 3 options of where to save the recovery to.
- Your Microsoft Account – If you’re signed in to your computer with your Microsoft account, then this isn’t a bad option, but you should consider whether you’d be able to get into your MS account if you can’t start your PC. I’m not so keen on this option.
- Save To A File – For me, this is the best option. You’ll need to have a USB flash drive handy. This is the option we’ll use in this demo.
- Print The Recovery Key – Another good option if you’ve got a printer.
Plug in your USB drive and then click “Save to a file”. Then select your USB drive and save the recovery key.
Choose How Much Of Your Drive To Encrypt.
The next screen will ask you “How much of your drive should BitLocker encrypt”? You’ll have two choices.
- Encrypt used disk space only – This is the fastest option since it only encrypts the data on your computer. As you add more data (more files and folders) that will automatically be encrypted “on the fly”.
- Encrypt entire drive – This option will encrypt the whole of the drive, regardless of whether or not it holds any data. With this option there isn’t any further encryption needed because everything area of your hard drive is already encrypted.
The best option is the second one “Encrypt the entire drive”.
That’s because although space on a hard can be marked as empty, it could still have data in it.
We all know by now that when you delete a file, it isn’t removed from the hard drive.
So if at all possible, encrypt the whole drive. The only downside to this is the amount of time it will take, especially if your have a traditional mechanical hard drive.
Which Encryption Mode Should BitLocker Use.
BitLocker can use one of two different encryption modes and you’ll be asked to choose which one you would like BitLocker to use.
Select the “New encryption mode” and click the Next button.
The Compatible Mode is an option for removable drives that will be loaded into older computers.
Since we are currently encrypting this computer’s system drive, that’s not really going to be an issue for home computer users.
Run The System Check.
Always run the BitLocker system check before starting the encryption process. It isn’t usually selected by default, You have to select it yourself.
What you’re about to do is to encrypt all your files and folders (all your documents, pictures, videos etc). If something is wrong in your setup, then at the click of a button, you’ve lost everything. So run the test first.
Select “Run BitLocker system check” and click the Continue button.
You’ll need to restart your computer.
During the restart, BitLocker will check to see if it can access and read your computer’s TPM and also the USB drive where you saved your recovery key to.
If either of these fail, then BitLocker won’t begin the encryption process and your data will be saved’
Assuming all is well, when your PC restarts BitLocker will automatically begin the encryption process. You should see a popup notification appear.
If you didn’t see the notification, you can check that it’s still working by clicking the Start button and typing “bitlocker” , then click Manage BitLocker.
Save Your Recovery Key USB Drive.
This Device Cannot Use A Trusted Platform Module Error Message.
After turning on BitLocker, you might see this error message, “Starting BitLocker – This device cannot use a Trusted Platform Module”. What it’s saying is that your computer doesn’t have a TPM.
That’s probably not true. If your computer came with Windows 10 pre installed, then you probably do have a TPM fitted, but it’s most likely disabled in the motherboard BIOS/UEFI.
It shouldn’t be a problem if your computer came with Windows 11 pre installed since Windows 11 requires a TPM to be present.
To enable the Trusted Platform Module you’ll need to enter your computer’s BIOS/UEFI.
You may need to refer to your manufacturer’s instructions to find the setting that you need.
Running BitLocker Without A TPM.
Sign Up For Our News Email
Keeping up to date.
If you haven’t already, then consider subscribing to the At Home Computer newsletter.
You don’t need to create any sort of account, so you won’t be asked for passwords etc.
How To Setup BitLocker To Require A PIN.
By default, BitLocker doesn’t require you to enter a password or PIN to unlock your computer. The process is fully automated.
When you turn on your computer, BitLocker queries the TPM for the unlock code, the TPM supplies it, BitLocker decrypts the drive and the computer starts up. No user interaction is needed. In fact you wouldn’t know that the drive is encrypted at all.
That’s not what most people want on their home computers.
In the standard setup, BitLocker is protecting the data on the hard drive if the is removed from the computer. But on a home computer, you’re not likely to lose just the hard drive. Most likely, you’ll lose the whole computer including the TPM.
That in turn means that when whoever finds your PC turns it on, BitLocker will duly unencrypt the drive and all your data will be exposed. Not really much point in encrypting it in the first place.
Require a PIN to be entered before BitLocker decrypts your drive.
How To Enable A Pre Boot BitLocker PIN.
To enable a start up PIN, you’ll need to change a setting in the Group Policy editor for your computer and then add the PIN using Command Prompt. Although it’s not difficult to do, Microsoft could have made this a lot easier.
First you’ll need to force BitLocker to require a PIN at startup. To do that open the Run Command by pressing The Windows key and the letter R on your keyboard.
In the Run box, type “gpedit.msc“
Group Policy Editor.
If you’re already familiar with the Group Policy Editor, then this is where you need to head for – Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives
If none of that makes any sense to you, let me guide you through the Group Policy Editor.
You need to get to a folder called Operating System Drives. To do that, we’ll be using the folder tree in the left hand panel of the Group Policy Editor.
Open Computer Configuration by clicking on the small arrowhead beside it.
You’ll see 3 folders appear. Click the arrowhead beside the Administrative Templates folder to expand it.
After you’ve expanded the Administrative Templates folder, expand the Windows Components folder.
Then expand the BitLocker Drive Encryption folder.
And finally left click once on the Operating System Drives folder.
Require Additional Authentication At Startup.
After you’ve clicked on the Operating System Drives folder, you’ll see a whole bunch of settings appear in the right hand panel of the Group Policy Editor.
Double left click on ” Require Additional Authentication At Startup”.
On the Require Additional Authentication At Startup page, select Enabled.
With Additional Authentication enabled, move to the lower left panel.
Change “Configure TPM startup PIN” to be “Require startup PIN with TPM”.
Click the OK button and close the Group Policy Editor.
BitLocker With A PIN/Password.
Adding Your PIN.
This next step is the tricky bit. You’ve told BitLocker to require a PIN to be entered before it unlocks the drive, but now you have to enter the PIN that it should use.
Your PIN should be at least 6 numbers long. Before you start, write down the PIN you want to use to unlock your computer.
To add the PIN, start Command Prompt with Administrator rights.
Click the Start button and type “cmd.”
Right click Command Prompt (Admin).
On the menu, left click Run As Administrator.
Click Yes at the UAC prompt.
When Command Prompt opens, enter this command and then press the Enter key on your keyboard.
manage-bde -protectors -add c: -TPMAndPIN
Type it in exactly as it appears here, or better still, copy and paste it.
Type in your chosen PIN number. Type it carefully.
As you type in your PIN, you’ll notice that no numbers appear, no asterisks or stars appear. In fact the flashing cursor doesn’t even move at all. You might be tempted to think that something has gone wrong. It hasn’t. Each key press is being recorded, so be careful.
Type in your PIN and then press the Enter key. Remember it should be at least 6 numbers long.
You’ll need to re-type your PIN and press Enter again.
If all went well, you should finish with this final message.
From now on, whenever you start or re-start your computer, you’ll need to provide the BitLocker PIN that you’ve just added.
Summary.
BitLocker protects your privacy by encrypting the data on your hard disk. But that’s a two edged sword. If something goes wrong, then all your files are encrypted. You won’t be able to access your files. So keep your recovery key safe.
Make backup copies of your recovery key.
If you saved the recovery key to USB drive, copy it to another computer or device. Print it out (it’s just a simple text document). Email it to yourself. Store it online in your MS account or Google Drive. Have several ways to access the key that don’t rely on the encrypted computer.
BitLocker is a powerful encryption tool for your PC and its data. You can easily get yourself locked out of your own machine. My advice would be to try it out first on a virtual machine. How To Install Windows As A Virtual Machine Using VMware Player.