How to Enable BitLocker Encryption on Windows

BitLocker encrypts your Windows drive so data is protected if the device is lost or stolen. Here is how to enable it and manage recovery keys.

Published 2024-04-22 by TechNet New England

BitLocker is the built-in full-disk encryption feature in Windows Pro, Enterprise, and Education editions. When enabled, all data on the drive is encrypted. ## Check If BitLocker Is Available BitLocker requires Windows 11/10 Pro, Enterprise, or Education. It is not available on Home editions. To check: go to **Settings > System > About** and look at your Windows edition. ## Enable BitLocker 1. Open **Control Panel > System and Security > BitLocker Drive Encryption**. 2. Click **Turn on BitLocker** next to your C: drive. 3. Choose how to back up your recovery key: **Save to your Microsoft account** (easiest recovery option). **Save to a USB flash drive**. **Save to a file** (do not save it on the encrypted drive). **Print the recovery key**. 4. Choose how much of the drive to encrypt: **Encrypt used disk space only** (faster, good for new computers). **Encrypt entire drive** (more secure, recommended for computers already in use). 5. Choose encryption mode: **New encryption mode (XTS-AES)** for fixed drives. **Compatible mode** if the drive might be used in older Windows versions. 6. Click **Start encrypting**. Encryption runs in the background. You can use your computer normally. The first encryption may take an hour or more depending on drive size. ## Recovery Key The recovery key is a 48-digit number that unlocks your drive if BitLocker locks you out (firmware update, hardware change, forgotten PIN). **Store it securely:** In a password manager. Printed in a secure location. Saved to your Microsoft account at account.microsoft.com/devices/recoverykey. Provided to your IT provider for their documentation system. **Do not store the recovery key on the encrypted drive itself.** ## For Managed Computers If your computer is managed by your organization: BitLocker may be enabled automatically through Group Policy or Intune. The recovery key is typically stored in Active Directory or Azure AD/Entra ID by your IT provider. You may not need to manage the recovery key yourself. ## Check BitLocker Status Open Command Prompt as Administrator and run: ```cmd manage-bde -status ``` This shows the encryption status of all drives. ## When BitLocker Asks for the Recovery Key After a firmware update, hardware change, or certain boot changes, BitLocker may prompt for the recovery key. This is normal and is a security measure. Enter the 48-digit key to unlock. If you cannot find your recovery key, contact your IT provider. They can retrieve it from the management system if the computer is domain-joined or enrolled in Intune.