BitLocker encrypts the entire contents of a drive so that if someone removes the drive and connects it to another machine, or boots from external media to bypass the Windows login, they see only unreadable encrypted data. Without the encryption key or recovery key: the drive is inaccessible to anyone who doesn’t have your credentials. For the bigger picture, our Windows 11 How-To Guides pulls everything together.
It’s available on Windows 11 Pro, Enterprise, and Education. Home edition has “Device Encryption” — a simpler, more limited version of the same technology. If your machine shows “Device Encryption” rather than “BitLocker” in settings: you’re on Home edition.
Should you enable BitLocker?
For desktop computers that stay at home: BitLocker is optional. Physical theft of the drive from a home desktop is uncommon. For laptops and portable devices: BitLocker addresses a real and common risk — laptops get lost and stolen. The contents of an unencrypted laptop (documents, browser-saved passwords, locally-cached emails) are accessible to anyone who boots the machine or removes the drive. BitLocker eliminates that risk entirely.
The short answer: on any portable device used for work, personal finance, or anything sensitive, BitLocker should be on.
Enabling BitLocker
Win+S → “BitLocker” → “Manage BitLocker” → the BitLocker Drive Encryption control panel opens. Click “Turn on BitLocker” next to the C: drive (or the drive you want to encrypt). The wizard walks through:
- Recovery key backup: choose how to save the recovery key. Options: save to Microsoft account (recommended — the key is recoverable if the device fails), save to a file (save to an external drive or network location, not the drive being encrypted), print the key. You can use multiple options simultaneously — print AND save to Microsoft account.
- Encryption scope: “Encrypt used disk space only” (faster, appropriate for new drives with no existing data) vs “Encrypt entire drive” (slower, recommended for drives that have had data on them — removes traces of deleted files in the encryption). For a laptop you’ve used for a while: “Encrypt entire drive.”
- Encryption mode: “New encryption mode” (XTS-AES, better integrity protection, Windows 10 and later only) vs “Compatible mode” (for drives that may be used in Windows 7/8). For a drive that stays in this machine: “New encryption mode.” For external drives that you might connect to older machines: “Compatible mode.”
- System check: BitLocker performs a system test before encryption begins to verify it can read the recovery key. Required for the OS drive; not for additional drives.
After the wizard: click “Start encrypting.” For a new or mostly-empty drive: encryption takes minutes. For a full drive: it runs in the background and may take hours. The PC remains usable during encryption — there’s no need to wait. The padlock icon in the drive listing shows encryption status.
The recovery key — what it is and why it matters
The recovery key is a 48-digit code that unlocks BitLocker if the normal unlock method fails. It’s needed when: the TPM chip detects something changed about the boot environment (a firmware update, hardware change, or attempted tampering), you forget your PIN (if you set one), or you move the encrypted drive to a different PC.
Without the recovery key, a locked BitLocker drive is permanently inaccessible — no bypass, no recovery option. This is the intentional design (it’s what makes BitLocker effective), but it also means losing the recovery key permanently locks you out of your own drive. Save it properly:
- Microsoft account (bitlockerrecoverykeys.microsoft.com shows keys saved to your account)
- Printed copy stored somewhere safe
- File saved to an external drive or cloud storage (not the encrypted drive itself)
If your company manages the device: IT likely has the recovery key in their management system. Verify before you rely on it — contact IT if BitLocker asks for a recovery key unexpectedly.
BitLocker and the TPM chip
BitLocker works best with a TPM (Trusted Platform Module) chip. The TPM stores the encryption keys and verifies the boot environment hasn’t been tampered with at startup. Windows 11 requires TPM 2.0, so all Windows 11 machines have a compatible TPM. With TPM: BitLocker transparent unlock works — your drive decrypts automatically when the machine boots normally (no PIN required) because the TPM confirms it’s the correct machine in the correct boot state.
BitLocker PIN adds an additional factor on top of TPM: you enter a PIN at boot before Windows starts. This provides stronger protection against “evil maid” attacks (someone with brief physical access to the machine) at the cost of entering a PIN every time you boot. For most home users: TPM-only is sufficient. For very sensitive data or high-risk environments: the PIN adds meaningful additional protection.
Our guide on Windows 11 initial setup covers BitLocker and Device Encryption in the context of first-time configuration decisions, and our guide on Windows 11 accounts covers the Microsoft account connection that stores BitLocker recovery keys. For enterprise BitLocker deployment via Intune and Group Policy, Microsoft’s BitLocker documentation covers managed deployment, recovery key rotation, and Group Policy configuration options.
Encrypting additional drives and USB drives
BitLocker To Go encrypts removable drives (USB drives, external HDDs) using the same encryption technology as the main drive. Right-click any removable drive in File Explorer → “Turn on BitLocker” → choose a password to unlock the drive → backup the recovery key. After encryption: the drive can only be accessed by entering the password on any Windows machine.
BitLocker To Go encrypted drives open in Windows 10 and 11 natively. On macOS: m3AEL and other third-party tools can read BitLocker-encrypted drives (read-only by default, some tools allow write). On Linux: Dislocker provides read access. If the drive needs to be accessed on non-Windows systems regularly: password-protecting the drive rather than encrypting it, or using an alternative cross-platform encryption tool, may be more practical.
BitLocker management and status
After encryption: Manage BitLocker shows the status of each encrypted drive. Options available per drive:
- Back up your recovery key: add another recovery key backup location if needed
- Change how drive is unlocked at startup: add or remove PIN, use TPM only
- Turn off BitLocker: decrypts the drive — takes the same amount of time as encryption. Used when preparing to sell a machine or if encryption is no longer needed.
- Suspend protection: temporarily disables encryption for the next boot. Used before major system changes (BIOS update, adding hardware) that would otherwise trigger recovery key prompts. Automatically re-enables after the next boot.
What BitLocker doesn’t protect against
BitLocker protects data at rest — when the machine is off or the drive is removed. It doesn’t protect data while the machine is running and logged in (because the drive is decrypted for normal use), doesn’t protect against malware running on the logged-in machine, and doesn’t protect against someone who knows your Windows login credentials.
The protection scenario is specific: a machine that’s lost or stolen while powered off (or in sleep mode). BitLocker is highly effective in this scenario. It’s not a substitute for strong authentication (handled by Windows Hello), regular backups (handled by OneDrive/File History), or antivirus (handled by Windows Defender). These four together — encryption, authentication, backup, antivirus — cover the main threat categories for a personal or work laptop.
| Scenario | BitLocker protects? |
| Laptop stolen while powered off | Yes — drive unreadable without credentials/recovery key |
| Drive removed and connected to another PC | Yes — encrypted data unreadable without key |
| Malware on the running machine | No — drive is decrypted during normal use |
| Attacker who knows your Windows password | No — valid credentials unlock BitLocker |
| Someone with brief physical access (TPM only) | Partially — add PIN for full protection |
BitLocker is the right tool for its specific purpose: protecting the data on a portable Windows device from physical access if it’s lost or stolen. Enabling it takes 10 minutes (plus background encryption time), storing the recovery key safely takes 2 minutes, and the protection it provides is genuine and complete for the scenario it addresses. For any laptop used for work or containing personal financial or sensitive data: it should be on.
Device Encryption on Windows 11 Home
Windows 11 Home includes a simplified version called Device Encryption. It’s enabled automatically on qualifying hardware (requires Modern Standby, a Microsoft account sign-in, and TPM 2.0) — many Home machines are already encrypted without the user knowing. Check: Settings → Privacy & security → Device encryption → see if it’s on.
Device Encryption is less configurable than BitLocker Pro: no PIN option, no management of individual drives, simpler recovery key management (always stored in the Microsoft account). For home users who want basic encryption without configuration complexity: Device Encryption is appropriate and automatically handles the most common data loss scenario (stolen laptop). For anyone wanting more control: upgrading to Windows 11 Pro unlocks full BitLocker management.
BitLocker and dual-boot systems
On machines dual-booting Windows and Linux: BitLocker with TPM-only mode causes problems. Linux bootloaders modify the boot environment in ways the TPM detects as suspicious, triggering BitLocker recovery mode every time you boot to Linux and back to Windows. Solutions: add a BitLocker PIN (so unlock happens via PIN rather than TPM verification) or exclude the Boot Configuration Data from TPM measurements (more technical, requires Group Policy or PowerShell configuration).
For dual-boot setups where this matters: the PIN approach is simpler. Admin PowerShell → manage-bde -protectors -add C: -TPMAndPIN → enter your chosen PIN when prompted → BitLocker now requires both the correct hardware (TPM) and your PIN, bypassing the TPM measurement check that causes dual-boot conflicts.
Recovering a BitLocker-protected machine
If Windows asks for a recovery key unexpectedly (after a firmware update, hardware change, or security alert): don’t panic. Go to bitlockerrecoverykeys.microsoft.com on another device (phone, another PC) → sign into your Microsoft account → your recovery keys are listed by device. Enter the 48-digit key when prompted. The machine unlocks, and you’re back to normal.
If your organisation manages the device: your IT team has the recovery key in their management console (Active Directory, Azure AD/Intune). Contact IT — they can retrieve and provide the key. Don’t attempt to reset the machine without the recovery key; this will result in permanent data loss if the drive is encrypted.
BitLocker and Secure Boot
Secure Boot and BitLocker work together to provide boot-time security. Secure Boot (configured in BIOS/UEFI) ensures only signed bootloaders run. BitLocker’s TPM measurements include the Secure Boot state — if Secure Boot is disabled, BitLocker detects the change and requests the recovery key. Keep Secure Boot enabled to avoid unexpected recovery key prompts. If you need to disable Secure Boot temporarily: suspend BitLocker first (Manage BitLocker → Suspend protection), make the change, and BitLocker resumes after the next boot without triggering recovery mode.
The integration of Secure Boot, TPM, and BitLocker in Windows 11 represents a significantly stronger security foundation than previous Windows versions. Windows 11’s hardware requirements (TPM 2.0, Secure Boot capable hardware) exist specifically to enable this kind of layered security — BitLocker is more effective on Windows 11 hardware than it was on older machines because the hardware requirements guarantee the foundation it relies on is present.
Managing BitLocker via PowerShell and command line
For administrators managing BitLocker on multiple machines or needing scriptable control: the manage-bde command-line tool and BitLocker PowerShell module provide full control. Useful commands:
manage-bde -status— shows BitLocker status for all drivesmanage-bde -on C: -RecoveryPassword— enables BitLocker with a recovery passwordmanage-bde -protectors -get C:— shows all key protectors (TPM, PIN, recovery key ID)manage-bde -off C:— decrypts the driveSuspend-BitLocker -MountPoint "C:" -RebootCount 1— suspends for one reboot (useful before firmware updates)
PowerShell BitLocker commands (Get-BitLockerVolume, Enable-BitLocker, Backup-BitLockerKeyProtector) provide the same functionality with PowerShell syntax, useful when scripting BitLocker management across multiple machines via Intune or SCCM. In managed environments: Group Policy controls BitLocker configuration organisation-wide, ensuring consistent encryption settings across all corporate devices without requiring manual configuration per machine. Our guide on Windows 11 Disk Management covers an adjacent issue.
BitLocker is one of the security features that should simply be on for any portable Windows 11 Pro machine. The “is it worth the complexity?” question answers itself quickly when you consider that encryption at rest is transparent during normal use — you don’t enter extra passwords, you don’t have slower performance in any meaningful sense, and the drive unlocks automatically via TPM when the correct machine boots normally. The only time you interact with BitLocker is during initial setup and if you ever need the recovery key. That’s a good trade for complete protection against one of the most common data loss scenarios for laptops. See also Windows 11 Clipboard History for a related case.







