How to enable BitLocker encryption on Windows 10? 

Encryption features on Windows devices have been around for a long time, starting with the Windows 2000 operating system that offered Encrypting File System (EFS) to safeguard device data on hard drives.

More recently, these encryption features have been upgraded to include convenient and potent data protection options, providing BitLocker Device Encryption to full drives, as well as portable drives.

It makes encrypted data unreadable to unauthorized users; it can only be decrypted using an encryption key set by authorized personnel.

For IT professionals looking to protect confidential data on their devices, this guide details how you can configure and enable BitLocker device encryption on Windows 10 to protect your sensitive data from nefarious attackers.

What is BitLocker and why use it?

BitLocker is a built-in encryption feature in Windows 10 and Windows 11 that helps protect your data by encrypting entire drives. It prevents unauthorized access to files if your device is lost, stolen, or accessed without permission.

BitLocker uses AES encryption to secure your data and works best on devices with a Trusted Platform Module (TPM). For devices without TPM, it can still be used with a password or USB key.

Using BitLocker adds an extra layer of security, especially for sensitive or business-critical data. It’s widely used in organizations to meet compliance standards and reduce the risk of data breaches.

Additional Read: 5 ways MSPs can use AI

How to enable BitLocker on Windows 10?

Wondering how to enable BitLocker on Windows 10? It usually takes several hours to one day to deploy BitLocker Encryption to devices, depending on the speed and size of the drive. 

Since its release, BitLocker has undergone a slew of upgrades to increase its data protection potency and facilitate ease of use for users. The current version of BitLocker allows Windows 11 and Windows 10 administrators to switch ON BitLocker right from the Windows preinstallation environment.

Windows 10 administrators can now easily turn BitLocker on directly from the system settings. If you're unfamiliar with BitLocker, there are two encryption methods available to users:

1. The hardware-based encryption method which requires a Trusted Platform Module (TPM) security chip.

2. The software-based encryption method can be activated with a password or by using a USB flash drive.

We'll be going through both TPM and non-TPM methods to help you understand how to enable BitLocker regardless of your device’s configuration.

How to check if your device supports TPM?

Before you proceed with encryption, you should check if your Windows 10 PC supports TPM, as it greatly simplifies the BitLocker setup.

1. Go to Start.

2. Look for Device Manager.

3. Navigate to the top result and launch the app.

4. Go to Security Devices and expand the branch.

5. Check the version number under  "Trusted Platform Module"- it should be version 1.2 or higher for BitLocker to work.

Another way to determine if your computer has TPM support is to visit your manufacturer's website and look for BitLocker details. You will also find instructions on how to enable the security chip. 

Additional read: The cybersecurity wake-up call for schools: How you can stay protected

How to enable BitLocker on Windows 10 (with TPM)?

If your device supports TPM, here’s the straightforward way to turn on BitLocker on Windows 10:

1. Go to Start.

2. Under Control Panel, open the top result.

3. Navigate to System and Security and click on BitLocker Drive Encryption.

4. Go to the "Operating System Drive" section and click on the Turn on BitLocker option.

5. Choose where to save the recovery key:

• Save to your Microsoft account.

• Save to a file.

• Print the recovery.

(You can save the recovery key to your OneDrive account and retrieve it later.)

6. Click on Next.

7. Choose how much of your drive space you want to encrypt. There are two options:

• Encrypt used disk space only (faster and best for new PCs and drives.)

• Encrypt the entire drive (slower but best for PCs and drives already in use.)

8. Click on Next.

9. Confirm that you are ready to encrypt the device. Click on "Run BitLocker system check" and press Continue.

10. Restart your device.

Once your device is restarted, BitLocker will be enabled.

How to enable BitLocker on Windows 10 without TPM (using password or USB key)?

If your device does not have the Trusted Platform Module security chip, the only way to encrypt your system files is by using the Local Group Policy Editor, which prompts users for authentication at startup.

To do so, you will need a password or a USB flash drive to supply the recovery key that will enable Windows 10 to boot.

How to activate startup authentication with Local Group Policy Editor

Here are the steps you should follow: 

1. Go to Start.

2. Find gpedit.

3. Navigate to Local Group Policy Editor and open Computer Configuration.

4. Navigate to Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.

5. You'll find the option "Require additional authentication at startup policy." Double click on it.

   

6. Select the Enabled option and check "Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive.)

   

7. Click on OK and continue to configure BitLocker settings.

How to enable BitLocker using a password or USB key?

Once the group policy is set, follow these steps to turn BitLocker on using a password or USB key:

1. Navigate to Start and open the Control Panel.

2. Under System and Security, navigate to BitLocker Drive Encryption > Operating System Drive > Turn on BitLocker.

   

3. Choose the encryption method:

• Insert a USB flash drive.

• Enter a password. (We recommend using a password.)

  

4. Create a password to unlock your drive and press Next.

5. Save your recovery key. Choose one of the following options:

• Save to your Microsoft account.

• Save to a USB flash drive.

• Save to a file.

• Print the recovery.

(You can save the recovery key to your OneDrive account and retrieve it later.)

6. Press Next.

7. Choose how much of your drive space you want to encrypt:

• Encrypt used disk space only (faster and best for new PCs and drives).

• Encrypt the entire drive (slower but best for PCs and drives already in use).

  

8. Press Next.

9. You'll be prompted to choose the encryption option:

• New encryption mode (best for fixed drives on this device.)

• Compatible mode (best for drives that can be moved from this device.)

10. Press Next.

11. Confirm you are ready to encrypt the drive and press Continue.

12. Restart your device.

Once BitLocker is enabled on a device, it will prompt users for a decryption PIN before making drive files accessible. This is to prevent users from gaining unauthorized access to your data or modifying existing system files for nefarious purposes.

Your PIN will act as an additional authentication factor, which will have to be changed regularly for security. Windows 10 and Windows 11 users can manually change their BitLocker PINs without having to supply administrator credentials, a feature that was absent in earlier Windows versions. 

Additional read: Why we need to talk about Agentic AI

How to manage BitLocker?

After enabling BitLocker encryption, it’s important to know how to manage and maintain it effectively to ensure your data stays secure. You can manage BitLocker through the Control Panel interface or by using PowerShell and command-line tools.

Here are the key management tasks you can perform:

• Suspend protection: Temporarily pause BitLocker encryption without decrypting the drive. This is useful before making firmware updates or hardware changes to avoid issues during system boot. Protection automatically resumes after a restart.

• Change PIN or password: Update your BitLocker PIN or password to maintain strong security. You can change these credentials without decrypting the drive, making it easy to strengthen your protection regularly.

• Back up recovery key: It’s critical to back up your recovery key securely. You can save it to your Microsoft account, export it to a USB drive, print it, or save it as a file. This recovery key helps you regain access if you forget your PIN or password or if the device encounters a startup issue.

• Turn off BitLocker: If you need to decrypt your drive and disable BitLocker, you can do so from the management interface. Keep in mind that turning off BitLocker will decrypt all data and remove encryption protection.

You can perform these actions in Control Panel under System and Security > BitLocker Drive Encryption, or use PowerShell commands for advanced management.

How to check if BitLocker is enabled?

To quickly check whether BitLocker is enabled on your device and get detailed encryption status, use the Command Prompt or PowerShell:

1. Open Command Prompt or PowerShell as an administrator.

2. Run the following command: manage-bde -status

3. The output will show information for each drive, including:

   • Whether BitLocker is on or off

   • Percentage of encryption completed

   • Encryption method used

   • Protection status

Easily monitor BitLocker across your devices with SuperOps

Managing BitLocker encryption across multiple devices can be challenging, especially in larger organizations. That’s where SuperOps comes in, a modern IT management platform that lets you track BitLocker status across your assets from a single dashboard.

Additional read: 7 automation-driven ways SuperOps can maximize your MSP’s productivity

How to monitor BitLocker status in SuperOps?

Here’s how to check the BitLocker status of your Windows assets in SuperOps:

1. Log into your SuperOps dashboard.

2. Navigate to Modules > Assets in your SuperOps dashboard.

3. Select a Windows asset that is currently online.

4. Scroll down to the Disk Info section under the Summary tab.

5. Here, you’ll see the available disk space on each drive and the BitLocker status for each one.

   

6. For more detailed information, click More Info to go to the BitLocker Encryption Status page. On this page, you can view:

• The drives on the asset

• Their encryption status (whether the drive is encrypting, decrypting, or fully encrypted)

• The encryption method used (algorithm and key size)

• The lock status (whether the drive contents are accessible or locked)

• Recovery key information, if any is available

Microsoft BitLocker administration and monitoring

With the help of the Microsoft Desktop Optimization Pack (MBAM), users can effortlessly manage BitLocker and BitLocker To Go and provide support as needed. The latest version MBAM 2.5 comes with Service Pack 1, comprising a slew of features:

• Offers compatibility with Windows 10 and enables the recovery user experience to be easily customized.

• Comprises Microsoft Endpoint Configuration Manager, which is a centralized operator used for generating reports and managing data volumes.

• Users can leverage the Self-Service Portal to recover encrypted devices.

• Allows system administrators to encrypt large volumes of data generated by client enterprises by effectively automating the encryption process.

• Windows Enterprise users can rest assured that their enterprise data is secure regardless of where they work.

• Allows security officers to monitor individual or client computers and instantly ascertain their compliance state. They also have audit access, which is a prerequisite for retrieving and recovering sensitive information.

• Ensures any policies with respect to BitLocker encryption you set for enterprises are effectively enforced.

• Significantly decreases help desk workload by providing support with BitLocker recovery requests.

• Allows users to seamlessly integrate with Microsoft Endpoint Configuration Manager and other useful tools to automate management.

What you should know about BitLocker device encryption?

Before you enable BitLocker encryption on Windows 10, keep these essentials in mind:

• BitLocker is supported on Windows 10 Pro and Enterprise editions. Some Windows 10 Home devices have limited BitLocker support.

• The Trusted Platform Module (TPM) chip is required for advanced security features; without TPM, software-based encryption with a password or USB key is necessary.

• If your computer lacks TPM or USB support, check with the manufacturer for BIOS or UEFI updates that might enable this functionality.

• Your drive must be formatted with the NTFS file system and typically needs at least two partitions to support BitLocker encryption.

• Encryption times vary depending on drive size and data volume, so plan accordingly.

• Ensure your computer is plugged into a reliable power source during the encryption process to prevent interruptions.

• It’s best practice to back up all important data before starting BitLocker encryption in case of unforeseen issues.

Best practices for using BitLocker

To ensure the strongest protection and smooth operation when using BitLocker encryption, follow these best practices:

• Store your recovery key in a secure and accessible location, such as your Microsoft account, a USB drive, or a secure password manager. This key is essential for data recovery if you forget your PIN or if the device experiences startup issues.

• Before enabling BitLocker across multiple devices in an organization, verify that recovery methods work properly. This helps prevent data loss and ensures users can regain access if needed.

• In enterprise environments, use tools like Microsoft BitLocker Administration and Monitoring (MBAM) or Microsoft Endpoint Manager to track encryption status, enforce policies, and quickly respond to compliance issues.

• Regularly update your device firmware (BIOS/UEFI) and Windows OS to maintain compatibility with TPM and BitLocker features. Updates often include security patches that improve encryption stability.

• Choose authentication credentials that are hard to guess but easy for you to remember. Strong PINs or passwords significantly reduce the risk of unauthorized access.

Additional read: How close are we to a truly autonomous RMM?

Conclusion

Enabling BitLocker on Windows 10 is an effective way to protect your data from theft or unauthorized access. Whether your device supports TPM or not, Microsoft provides flexible options to secure your drives with strong encryption. By following this step-by-step guide, you can quickly activate BitLocker and take control of your data security with confidence.

Start encrypting your drives today and keep your sensitive information safe!

We hope this exhaustive guide has helped you enable BitLocker on your Windows 10 device. Need more information? Reach out to us.

Frequently Asked Questions

1. How do I disable and enable BitLocker?

To enable BitLocker, go to Control Panel > System and Security > BitLocker Drive Encryption, select the drive, and click "Turn on BitLocker." Follow the prompts to set it up. To disable BitLocker, return to the same menu and choose "Turn off BitLocker," which decrypts the drive and removes encryption.

2. How to resolve the BitLocker issue?

To resolve BitLocker issues, first ensure your recovery key is backed up securely. If BitLocker prevents access, use the recovery key to unlock your drive. Check for firmware (BIOS/UEFI) and Windows updates to maintain compatibility. You can also suspend protection temporarily before making hardware changes or updates. For persistent issues, consult Microsoft support or use BitLocker management tools like MBAM.

3. How do I know if BitLocker is enabled?

Open Command Prompt or PowerShell as an administrator and run:

manage-bde -status

This command displays the encryption status of your drives, indicating if BitLocker is enabled, the encryption percentage, and protection status.

4. How to unlock BitLocker?

BitLocker can be unlocked by entering your PIN or password at device startup. For removable drives, connect the drive and provide the password or recovery key when prompted to gain access.

5. Is BitLocker enabled by default?

No, BitLocker is not enabled by default. You must manually activate it via the Control Panel or command line on Windows 10 Pro or Enterprise editions.