Back to Techtips

February 2021: BitLocker data encryption and TPM maneuver

BitLocker is the Windows encryption technology that protects your data from unauthorized access by encrypting your drive and requiring one or more factors of authentication before it will unlock it, whether for regular Windows use or an unauthorized access attempt.

BitLocker is good because it is nicely integrated into Windows, and it is easy to operate. As it was designed to “protect the integrity of the operating system,” most who use it implemented it in TPM mode, for best results your computer must be equipped with a Trusted Platform Module (TPM) chip. This is a special microchip that enables your device to support advanced security features.

How to turn on BitLocker

Once you made sure BitLocker can be properly enabled on your computer, BitLocker Drive Encryption is available only on Windows 10 Pro and Windows 10 Enterprise. Make sure to keep your computer connected to an uninterrupted power supply throughout the entire process.

Follow these steps:

1.      Use the Windows key + X keyboard shortcut to open the Power User menu and select Control Panel.

2.      Click System and Security.

3.      Click BitLocker Drive Encryption.


4.      Under BitLocker Drive Encryption, Click Turn on BitLocker.


5.      Choose how you want to unlock your drive during startup: Insert a USB flash drive or Enter a password. For the purpose of the guide, select Enter a password to continue.



6.      Enter a password that you'll use every time you boot Windows 10 to unlock the drive, and click Next to continue. (Make sure to create a strong password mixing uppercase, lowercase, numbers, and symbols.)



7.      You will be given the choice to save a recovery key to regain access to your files in case you forget your password. Options include:

o    Save to your Microsoft account

o    Save to a USB flash drive

o    Save to a file

o    Print the recovery

Select the option that is most convenient for you, and save the recovery key in a safe place.

Quick Tip: If you trust the cloud, you can choose to save your recovery key in your Microsoft account using the Save to your Microsoft account option. In which case, you can retrieve your encryption key at this location: https://onedrive.live.com/recoverykey.

8.      Click Next to continue.



9.      Select the encryption option that best suits your scenario:

o    Encrypt used disk space only (faster and best for new PCs and drives)

o    Encrypt the entire drive (slower but best for PCs and drives already in use)



10.  Choose between the two encryption options:

o    New encryption mode (best for fixed drives on this device)

o    Compatible mode (best for drives that can be moved from this device)

On Windows 10 version 1511, Microsoft introduced support for XTS-AES encryption algorithm. This new encryption method provides additional integrity support and protection against new attacks that use manipulating ciphertext to cause predictable modifications in cleartext. BitLocker supports 128-bit and 256-bit XTS AES keys.

11.  Click Next to continue.


12.  Make sure to check the Run BitLocker system check option, and click Continue.



13.  Finally, restart your computer to begin the encryption process.

14.  On reboot, BitLocker will prompt you to enter your encryption password to unlock the drive. Type the password and press Enter.



After rebooting, you'll notice that your computer will quickly boot to the Windows 10 desktop. However, if you go to Control Panel > System and Security > BitLocker Drive Encryption, you'll see that BitLocker is still encrypting your drive. Depending on the option you selected and the size of the drive, this process can take a long time, but you'll still be able to work on your computer.


Once the encryption process completes, the drive level should read BitLocker on.


You can verify that BitLocker is turned on by the lock icon on the drive when you open This PC on File Explorer.


BitLocker Drive Encryption options

When BitLocker is enabled on your main hard drive, you'll get a few additional options, including:

·         Suspend protection: When you're suspending protection your data won't be protected. Typically, you would use this option when applying a new operating system, firmware, or hardware upgrade. If you don't resume the encryption protection, BitLocker will resume automatically during the next reboot.

·         Back up your recovery key: If you lose your recovery key, and you're still signed into your account, you can use this option to create a new backup of the key with the options mentioned in step 6.

·         Change password: You can use this option to create a new encryption password, but you'll still need to supply the current password to make the change.

·         Remove password: You can't use BitLocker without a form of authentication. You can remove a password only when you configure a new method of authentication.

·         Turn off BitLocker: In the case, you no longer need encryption on your computer, BitLocker provides a way to decrypt all your files. However, make sure to understand that after turning off BitLocker your sensitive data will no longer be protected. In addition, decryption may take a long time to complete its process depending on the size of the drive, but you can still use your computer.

Similar to BitLocker, device encryption is a feature designed to protect your data from unauthorized access in the unexpected case that your laptop is lost or stolen. When the feature is enabled, the entire system drive and secondary drives connected to your device, are scrambled, and only you with the correct password can access the data.

The biggest difference between the two is that device encryption is available on all the editions of Windows 10, while BitLocker is only available for Windows 10 Pro, Enterprise, or Education, and offers some additional management tools.

How to encrypt a hard drive for Windows Home edition and Windows Home pro

To see if your laptop or desktop computer meets the requirements for device encryption, use these steps.

1.      Open Start.

2.      Search for System Information, right-click the top result, and select the Run as administrator option.

3.      Click the System Summary branch from the left pane.

4.      Check the "Device Encryption Support" item, and if it reads Meets prerequisites, then your computer includes support file encryption.


After you complete the steps, you can proceed to enable encryption on the entire system.

Enabling device encryption

To enable device encryption on your Windows 10 Home laptop or desktop computer, use these steps:

1.      Open Settings.

2.      Click on Update & Security.

3.      Click on Device encryption.

A quick tip: If the The "Device encryption" page isn't available, then it's likely that your device doesn't support the encryption feature.

4.      Under the "Device encryption" section, click the Turn on button.



Once you complete the steps, Windows 10 will turn on encryption for the current and future files you store on your computer.

Configure TPM on UEFI

If you know that the device has a TPM chip, but it's disabled, you can refer to these steps to enable it:

1.      Open Settings.

2.      Click on Update & Security.

3.      Click on Recovery.

4.      Under the "Advanced startup" section, click the Restart now button.



5.      Click on Troubleshoot.


6.      Click on Advanced options.


7.      Click on UEFI Firmware Settings.


8.      Click the Restart button.


9.      Locate the security settings.

Quick note: You may need to consult your manufacturer support website for more specific details to find the TPM settings.

10.  Enable the TPM feature.

After you complete the steps, you should be able to enable device encryption on your computer running Windows 10 Home to protect your files.

Disabling device encryption

To disable device encryption on your Windows 10 Home device, use these steps:

1.      Open Settings.

2.      Click on Update & Security.

3.      Click on Device encryption.

4.      Under the "Device encryption" section, click the Turn off button.


5.      Click the Turn off button again to confirm.

After you complete the steps, the device will go through the decryption process, which depending on the amount of data, can take a very long time.

We're focusing this guide on Windows 10 Home users, but this option, as well as BitLocker, is also available for devices running Windows 10 Pro with supported hardware.

Compiled by Esther Nyapendi, Tech Support Volunteer

Other Useful Links