BitLocker Encryption Setup: Protect Your Windows Drive

BitLocker Drive Encryption is a full-volume encryption feature built into Windows 10 Pro, Enterprise, Education, and Windows 11 Pro and above. It encrypts the entire operating system volume — and optionally additional data volumes — protecting data from physical theft. If someone removes the hard drive from a BitLocker-protected machine and attempts to read it in another system, the data is unreadable without the recovery key.

Prerequisites

Before enabling BitLocker, confirm the following:

• TPM 2.0 — BitLocker uses the Trusted Platform Module to store the encryption key. TPM 2.0 is required for Windows 11 and recommended for Windows 10. If TPM is not available, BitLocker can be configured to use a startup PIN or USB key instead, via Group Policy.
• UEFI with Secure Boot — Required for modern BitLocker deployments. Legacy BIOS mode is supported but offers weaker pre-boot integrity.
• Windows edition — Windows 11 Home includes Device Encryption (a simplified form) but not full BitLocker with all management options. Pro or higher is required for the full feature set.

Enabling BitLocker via the Control Panel

1. Open Control Panel > System and Security > BitLocker Drive Encryption
2. Click Turn on BitLocker next to the C: drive
3. Choose how to back up your recovery key:
   • Save to your Microsoft account (for personal devices)
   • Save to a file (save to a network share, not the same drive)
   • Print the recovery key
   • Save to Azure AD / Entra ID (for domain-joined, Intune-managed devices — preferred for enterprise)
4. Choose encryption scope: Used disk space only (faster, suitable for new drives) or Entire drive (slower, better for drives that have contained data)
5. Select encryption mode: New encryption mode (XTS-AES) for fixed drives on Windows 10/11. Use Compatible mode only if the drive may be moved to older Windows versions.
6. Run the BitLocker system check if prompted, then restart

Encryption runs in the background. You can continue using the machine normally. Monitor progress via the BitLocker Control Panel page.

Enabling BitLocker via PowerShell

# Check current BitLocker status on all volumes
Get-BitLockerVolume

# Enable BitLocker on C: drive with TPM protector and save recovery key to AD
Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 `
  -TpmProtector

# Add a recovery password protector (generates 48-digit recovery key)
Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector

# Back up the recovery key to Active Directory
$recoveryKey = (Get-BitLockerVolume -MountPoint "C:").KeyProtector |
  Where-Object { $_.KeyProtectorType -eq "RecoveryPassword" }
Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $recoveryKey.KeyProtectorId

# Enable BitLocker on a data drive (D:)
Enable-BitLocker -MountPoint "D:" -EncryptionMethod XtsAes256 `
  -RecoveryPasswordProtector

# Suspend BitLocker (e.g., before a BIOS update)
Suspend-BitLocker -MountPoint "C:" -RebootCount 1

Managing BitLocker in an Enterprise with MBAM or Intune

For large organisations, managing BitLocker manually per machine is not scalable. The two main enterprise approaches are:

Microsoft Endpoint Manager (Intune)

For cloud-managed or hybrid-joined devices, configure BitLocker through an Endpoint Protection profile in Intune. Recovery keys are automatically escrowed to Entra ID, visible in the Intune portal per device. IT administrators can retrieve a specific machine's recovery key without contacting the user.

Group Policy with Recovery Key Escrow to Active Directory

For on-premises domain environments, configure BitLocker through Group Policy:

Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives

Key settings to configure:

• Require additional authentication at startup — Allows BitLocker without a TPM using a startup PIN.
• Store BitLocker recovery information in Active Directory Domain Services — Automatically escrows recovery keys. Enable Do not enable BitLocker until recovery information is stored in AD DS to prevent encryption without a backed-up key.
• Choose drive encryption method and cipher strength — Set to XTS-AES 256-bit for OS and fixed data drives.

Retrieving a Recovery Key

If a user is locked out — typically because the TPM detected a change in boot configuration — you need the 48-digit recovery key. Locations to check:

• Active Directory — Open the computer account in ADUC (Active Directory Users and Computers), go to the BitLocker Recovery tab.
• Intune/Entra ID — In the Intune portal, find the device and click Recovery keys.
• Microsoft account — account.microsoft.com/devices/recoverykey
• Saved .txt file or printed copy — If the user saved it locally at setup.

Common Issues

• BitLocker recovery screen on every boot — Usually caused by a BIOS/UEFI update, Secure Boot change, or boot order modification. Suspend BitLocker before making firmware changes.
• TPM not detected — Check BIOS/UEFI settings to ensure TPM is enabled. Run tpm.msc to check TPM status from within Windows.
• Encryption paused — BitLocker pauses encryption when the machine is on battery. Plug in the power adapter or resume manually: Resume-BitLocker -MountPoint "C:".