How to Enable BitLocker Drive Encryption on Windows laptop

You can enable BitLocker drive encryption on your Windows laptop to protect your data from unauthorized access if your device is lost or stolen. The process involves checking your system’s compatibility, turning on BitLocker through the Control Panel or Settings, and securely saving your recovery key. If your laptop doesn’t have a TPM 2.0 chip, you’ll first need to adjust a setting in the Group Policy Editor.

What is BitLocker?

BitLocker is a full-volume encryption feature included in specific editions of Microsoft Windows. When you enable it, BitLocker encrypts your entire drive, making the data unreadable without the correct password, PIN, or a special startup key on a USB drive. If your laptop is ever lost or stolen, this encryption prevents thieves from accessing your personal files, documents, and other sensitive information simply by removing the hard drive and connecting it to another computer.

Before You Start: Check Your System’s Compatibility

Before proceeding, it’s important to verify that your system meets the requirements for BitLocker.

Check Your Windows Edition

BitLocker is only available on professional editions of Windows. You can easily check your version:

1. Press the Windows key + I to open the Settings app.
2. Go to System > About.
3. Look for your Windows specifications. You’ll need Windows 10/11 Pro, Enterprise, or Education.

What if I have Windows Home? Windows Home editions do not include the full BitLocker feature. However, many modern laptops with Windows Home have a similar feature called Device Encryption. If your hardware is compatible, encryption might already be enabled. You can check by going to Settings > Privacy & security > Device encryption. If it’s available, the steps to manage it are much simpler and often handled automatically when you sign in with a Microsoft account.

Check for a TPM Chip

BitLocker works best with a Trusted Platform Module (TPM), a security chip on your motherboard that helps protect encryption keys. Most modern laptops have one. Here’s how to check:

1. Press the Windows key + R to open the Run dialog.
2. Type tpm.msc and press Enter.
3. The TPM Management console will open. If the status is “The TPM is ready for use,” you’re good to go.

If it says a compatible TPM cannot be found, don’t worry. You can still enable BitLocker without a TPM, but it requires an extra step, which is covered in a dedicated section below.

How to Enable BitLocker (With a TPM)

If you have a compatible Windows edition and a TPM, enabling BitLocker is a straightforward process.

Step 1: Turn On BitLocker

1. Open the Control Panel. You can find it by searching for it in the Start Menu.
2. Select System and Security, and then click on BitLocker Drive Encryption.
3. You’ll see a list of the drives in your computer. Find your operating system drive (usually C:) and click Turn on BitLocker.

Step 2: Choose How to Unlock Your Drive at Startup

BitLocker will now ask how you want to unlock your drive each time you start your computer. Since you have a TPM, the most common and convenient method is to have it unlock automatically without any extra steps. However, for added security, you can choose to require a PIN or a USB startup key. For most users, relying on the TPM alone provides a great balance of security and convenience.

Step 3: Back Up Your Recovery Key

This is the most critical step. If you ever have trouble unlocking your PC (for example, after a significant hardware change), you’ll need this recovery key to access your data. If you lose this key, your data will be permanently inaccessible. You have several options for saving it:

• Save to your Microsoft account: This is the easiest and most recommended option for most users. Your key will be securely stored online and accessible at.
• Save to a file: You can save the key as a text file on a USB drive or an external hard drive. Do not save it on the drive you are encrypting.
• Print the recovery key: You can print a hard copy of the key and store it in a safe place, like a fireproof safe or with other important documents.

It’s wise to save your recovery key in at least two different places. For example, save it to your Microsoft account and also keep a printed copy.

Step 4: Choose How Much of Your Drive to Encrypt

BitLocker will give you two choices:

• Encrypt used disk space only: This is faster and ideal for new PCs and drives. BitLocker will only encrypt the parts of the drive that currently have data on them.
• Encrypt entire drive: This is slower but more secure for PCs that have been in use for a while. It ensures that any previously deleted data, which can sometimes be recovered, is also encrypted.

For the best security, choosing to encrypt the entire drive is recommended.

Step 5: Choose the Encryption Mode

You’ll be asked to choose between two encryption modes:

• New encryption mode (XTS-AES): This offers better performance and is the best choice for drives that will stay inside your laptop.
• Compatible mode (AES-CBC): This is for removable drives (like external hard drives) that you might use with older versions of Windows.

Select New encryption mode for your laptop’s internal drive.

Step 6: Start the Encryption Process

On the final screen, make sure you’re ready to encrypt. You can run a BitLocker system check before starting. When you’re ready, click “Start encrypting.”

The encryption process will begin in the background. You can continue to use your computer, but it might be a bit slower until the process is complete. The time it takes can range from 20 minutes to several hours, depending on the size of your drive and how much data you have. It’s often best to let it run overnight.

How to Enable BitLocker Without a TPM

If your computer doesn’t have a TPM chip, you’ll get an error message when you try to turn on BitLocker. You can bypass this by changing a setting in the Local Group Policy Editor.

Step 1: Open the Group Policy Editor

1. Press the Windows key + R to open the Run dialog.
2. Type gpedit.msc and press Enter.

Step 2: Navigate to the BitLocker Policy

In the Group Policy Editor, use the left-hand pane to navigate to the following path:

Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives

Step 3: Edit the Policy

In the right-hand pane, find the policy named “Require additional authentication at startup” and double-click it.

1. Select the Enabled option at the top.
2. In the “Options” box below, make sure the checkbox for “Allow BitLocker without a compatible TPM” is checked.
3. Click Apply and then OK.

Step 4: Turn On BitLocker

Now you can close the Group Policy Editor and follow the same steps outlined in the “How to Enable BitLocker (With a TPM)” section above. The main difference is that you will be required to set a startup password or use a USB key to unlock your drive each time you boot your computer, as there is no TPM to handle it automatically.