How to Enable BitLocker Encryption on Windows 11
BitLocker drive encryption is one of the most important security controls for any business laptop or PC. If a device is stolen or lost without BitLocker enabled, anyone can remove the hard drive, plug it into another PC and read all the data directly – emails, financial records, client information, passwords. With BitLocker enabled, the entire drive is encrypted and unreadable without authentication. This guide covers enabling BitLocker on Windows 11 Pro and Enterprise.
BitLocker requires: Windows 11 Pro, Enterprise or Education edition, a Trusted Platform Module (TPM) version 1.2 or later (most PCs from 2016 onwards have TPM 2.0), and UEFI firmware with Secure Boot enabled.
Step 1: Verify TPM Is Available
Check TPM Status
Press Windows + R, type tpm.msc and press Enter. The TPM Management console will open.
- TPM is ready for use: TPM is available and BitLocker can use it for automatic unlocking
- Compatible TPM cannot be found: Your PC does not have TPM or it is disabled in BIOS/UEFI. Enter BIOS settings (usually F2 or Del during boot) and enable TPM or fTPM under the Security section
You can also check via Device Manager > Security Devices – look for Trusted Platform Module 2.0 in the list.
Step 2: Open BitLocker Management
Access BitLocker Settings
There are two ways to open BitLocker management:
Option A: Type BitLocker in the Start menu search bar. Click Manage BitLocker from the results.
Option B: Open Control Panel > System and Security > BitLocker Drive Encryption.
The BitLocker Drive Encryption page shows all drives on the PC. The C: drive (Operating System) will show as BitLocker off on a new or unencrypted machine.
Step 3: Turn On BitLocker
Start the BitLocker Wizard
Click Turn on BitLocker next to the C: drive. The BitLocker setup wizard will launch. If prompted for administrator permission, click Yes.
If you see a message saying This device cannot use a Trusted Platform Module, see the FAQ below for workaround options.
Step 4: Back Up the Recovery Key
Save the Recovery Key – Critical Step
The wizard will prompt you to back up your recovery key. This 48-digit key is the only way to unlock the drive if the PC enters recovery mode. Choose at least one option:
- Save to your Microsoft account (recommended): The key is stored securely in your Microsoft account at account.microsoft.com/devices/recoverykey. Access it from any browser if the PC needs recovery.
- Save to a USB flash drive: Saves the key to a text file on a USB drive. Store this USB separately from the laptop.
- Save to a file: Saves a text file. Save to a network drive or another device, not the C: drive being encrypted.
- Print the recovery key: Print and store in a secure location such as a locked filing cabinet.
If the recovery key is lost and BitLocker enters recovery mode (triggered by hardware changes, firmware updates or incorrect PIN attempts), the drive contents are permanently inaccessible. Store the key in at least two separate locations.
Step 5: Choose Encryption Options and Start
Select Encryption Scope
Choose Encrypt entire drive (recommended for business PCs and existing devices). This encrypts all space on the drive including previously deleted files. For a brand new empty PC, Encrypt used disk space only is faster but less thorough.
Choose Encryption Mode
Select New encryption mode (XTS-AES 128-bit). This is the most secure mode and is appropriate for fixed internal drives. If you are encrypting a USB drive that will be used on older Windows versions, select Compatible mode instead.
Click Start encrypting. BitLocker will run in the background. You can continue using the PC normally during encryption. A padlock icon will appear next to the C: drive in File Explorer when encryption is in progress.
Encryption typically takes 30 minutes to 3 hours depending on drive size and PC speed. Check the status in Manage BitLocker – it will show the percentage complete.
After encryption completes, open Manage BitLocker. The C: drive should show BitLocker on with a locked padlock icon. You can also run the command: manage-bde -status C: in an elevated Command Prompt to see detailed encryption status, percentage and method.
Need IT Help in Malaysia?
Cybergate provides managed IT support for businesses across Malaysia. Our team is available Monday to Saturday, 9am to 6pm.