If you keep sensitive files on your device in Windows 10, it is critical to take the necessary steps to protect them, which is where BitLocker comes in handy. Windows 10 BitLocker is a long-standing feature that allows you to encrypt data on your hard drive to prevent unauthorized access.
Encryption, in a nutshell, is the process of making any data unreadable without proper authorization. When you use encryption to scramble your data, it remains unreadable even when shared with others. Only you can decrypt the data and make it usable if you have the correct encryption key.
If you’ve never used BitLocker, the feature provides two encryption methods: hardware-based encryption using a Trusted Platform Module (TPM) chip and software-based encryption using a password or USB flash drive to decrypt the drive and continue booting.
Additionally, “BitLocker To Go” protects data on the installation drive, secondary storage, and removable media.
In this post, we will walk you through setting up BitLocker on a computer to protect your sensitive files on Windows 10.
How to check if a device has TPM Support to use BitLocker
Here is how to check if a computer has TPM on Windows 10:
- Open Start.
- Search for Device Manager and click the top result to open the app.
- Expand the Security devices branch.
- Confirm the item that reads “Trusted Platform Module” with the version number.
A quick note: The TPM version must be version 1.2 or later to support BitLocker.
Alternatively, you can check your manufacturer’s support website for information on whether the device includes the security hardware and how to activate the security feature.
If you own a Surface device, it most likely has a Trusted Platform Module that supports BitLocker encryption.
You may also like: Windows 10 Home vs Pro vs Enterprise: What You Need to Know
How to enable (Hardware) BitLocker on System Drive
Here is how to enable BitLocker on a device with TPM:
- Open Start.
- Search for Control Panel and click the top result to open the app.
- Click on System and Security.
- Click on “BitLocker Drive Encryption.”
- Under the “Operating system drive” section, click the “Turn on BitLocker” option.
- Select the option to save the recovery key:
- Save to your Microsoft account.
- Save to a file.
- Print the recovery.
A quick tip: If you trust the cloud, save your recovery key in your Microsoft account using the Save to your Microsoft account option. You can always retrieve the encryption key at this OneDrive location.
- Click the Next button.
- Select how much the drive space to encrypt:
- Choose between the two encryption options:
- Encrypt used disk space only (faster and best for new PCs and drives).
- Encrypt the entire drive (slower but best for PCs and drives already in use).
- Click the Next button.
- Check the “Run BitLocker system check” option.
- Click the Continue button.
- Click the Restart now button.
Although the device will boot quite fast, on Control Panel > System and Security > BitLocker Drive Encryption, you will notice that BitLocker will still be encrypting the drive. Depending on the option you selected and the drive size, this process can take a long time, but you can continue to work on the computer.
Following the encryption process, the drive will display a lock icon and the label “BitLocker on.”
You may also like: How to enable Secure Boot on PC to install Windows 11
BitLocker options
When you enable drive encryption, you will have several options, including:
Suspend protection: This option disables file protection. This option is typically used when upgrading to a new version of Windows 10, firmware, or hardware. If you do not restart BitLocker, it will restart automatically during the next reboot.
Backup your recovery key: If you lose your recovery key while still logged in to your account, you can use this option to create a new backup of the key using the options listed in Step 6.
Change password: This generates a new encryption password, but you must still enter your current password to complete the change.
Remove the password: BitLocker cannot be used without some form of authentication. Only when you configure a new authentication method can you remove a password.
Disable BitLocker: All files on the drive are decrypted. Furthermore, depending on the size of the storage, decryption may take a long time to complete, but you can still use your computer.
How to enable (Software) BitLocker on the OS Drive
You will be unable to configure BitLocker on Windows 10 if the computer lacks a Trusted Platform Module chip. However, if you use the Local Group Policy Editor to enable additional authentication at startup, you can still use encryption.
Once the feature is enabled, you must enter a password or insert a USB flash drive containing the recovery key to unlock the drive and proceed with the computer startup process.
Enable policy without TPM support
Here is how to configure BitLocker on devices without a TPM chip:
- Open Start.
- Search for gpedit and click the top result to open the Local Group Policy Editor.
- Browse the following path: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives
- On the right side, double-click the “Require additional authentication at startup” policy.
- Select the Enabled option.
- Check the “Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)” option.
- Click the Apply button.
- Click the OK button.
Once you’ve finished the steps, BitLocker can be set up on your computer to protect your data.
Here is how to enable BitLocker on your device:
- Open Start.
- Search for Control Panel and click the top result to open the app.
- Click on System and Security.
- Click on “BitLocker Drive Encryption.”
- Under the “Operating system drive” section, click the “Turn on BitLocker” option.
- Click the Next button.
- Click the Next button again.
- Click the Restart now button.
- Click the Next button. (The process should restart automatically.)
- Select the encryption to unlock method:
- Insert a USB flash drive — requires a flash drive to unlock the device and boot into Windows 10.
- Enter a password — requires a password before booting into Windows 10 (recommended).
- Create and confirm the password to unlock BitLocker and access your device.
- Click the Next button.
- Select the option to save the recovery key:
- Save to your Microsoft account.
- Save to a USB flash drive.
- Save to a file.
Print the recovery.
- Click the Next button.
- Select how much the drive space to encrypt:
- Encrypt used disk space only (faster and best for new PCs and drives).
- Encrypt the entire drive (slower but best for PCs and drives already in use).
Choose between the two encryption options:
- New encryption mode (best for fixed drives on this device).
- Compatible mode (best for drives that can be moved from this device).
- Click the Next button.
- Check the “Run BitLocker system check” option.
- Click the Continue button.
- Click the Restart now button.
After you complete the steps, the computer will restart, and BitLocker will prompt you to enter your encryption password to unlock the drive.
You may also like: How to install a Windows 11 VM without TPM
How to enable BitLocker on fixed Data Drives
Here is how to configure BitLocker on a secondary drive:
- Open Start.
- Search for Control Panel and click the top result to open the app.
- Click on System and Security.
- Click on “BitLocker Drive Encryption.”
- Under the “Fixed data drives” section, click the “Turn on BitLocker” option for the secondary drive.
- Check the “Use a password to unlock the drive” option.
A quick note: You can also use the “Use my smart card to unlock the drive” option, which is uncommon.
- Create and confirm the password to unlock BitLocker and access your device.
- Click the Next button.
- Select the option to save the recovery key:
- Save to your Microsoft account.
- Save to a USB flash drive.
- Save to a file.
- Print the recovery.
- Click the Next button.
- Select how much the drive space to encrypt:
- Encrypt used disk space only (faster and best for new PCs and drives).
- Encrypt the entire drive (slower but best for PCs and drives already in use).
- Choose between the two encryption options:
- New encryption mode (best for fixed drives on this device).
- Compatible mode (best for drives that can be moved from this device).
- Click the Next button.
- Click the Start encrypting button.
- Click the Close button.
Once you complete the steps, the drive will start using encryption. If the drive already had data, the process could take a long time to complete.
You may also like The Best Virtual Machines for 2022
How to enable BitLocker to go on Removable Drives
Alternatively, you can use the “BitLocker To Go” feature to encrypt removable drives (such as USB flash and external drives) connected to your computer.
Here is how to set up BitLocker To Go on a removable drive
- Connect the USB drive to the device.
- Open Start.
- Search for Control Panel and click the top result to open the legacy app.
- Click System and Security.
- Click “BitLocker Drive Encryption.”
- Under the “BitLocker To Go” section, select the removable drive you want to encrypt.
- Click the “Turn on BitLocker” option.
- Check the “Use a password to unlock the drive” option.
- Create a password to unlock the drive.
- Click Next to continue.
- Select the option to save the recovery key:
- Save to your Microsoft account.
- Save to a file.
- Print the recovery.
- Click the Next button.
- Select how much the drive space to encrypt:
- Encrypt used disk space only (faster and best for new PCs and drives).
- Encrypt the entire drive (slower but best for PCs and drives already in use).
- Choose between the two encryption options:
- New encryption mode (best for fixed drives on this device).
- Compatible mode (best for drives that can be moved from this device).
A quick tip: In this case, the Compatibility mode is the recommended option.
- Click the Next button.
- Click the Start encrypting button.
- Click the Close button.
After you complete the steps, the encryption process will begin on the removable drive.
To accelerate the encryption process, always begin with an empty drive. The data will then be encrypted quickly and automatically. Furthermore, similar to the feature of the operating system drive, you will get the same additional options as well as a few more, such as:
Add smart card: This option will allow you to configure a smart card to unlock the removable drive.
Turn on auto-unlock: Instead of typing a password every time you re-connect the removable drive, you can enable auto-unlock to access your encrypted data without entering a password.
You may also like: How to install Ubuntu 21.10 on WSL for Windows 11
How to disable BitLocker on Windows 10
Here is how to remove the drive encryption:
- Open Start.
- Search for Control Panel and click the top result to open the app.
- Click on System and Security.
- Click on “BitLocker Drive Encryption.”
- Click the Turn off BitLocker option for the drive you want to remove the encryption.
- Click the Yes button.
Once you complete the steps, the decryption process will begin, and it will take some time to complete depending on the amount of data.
Would you like to read more about BitLocker Windows 10-related articles? If so, we invite you to take a look at our other tech topics before you leave!