Home / Software / Microsoft / Windows 11 / How to Enable BitLocker in Windows 11

How to Enable BitLocker in Windows 11

Table of Contents

BitLocker is Windows 11’s built-in drive encryption. It encrypts your entire hard drive so that if your laptop is stolen or lost, nobody can access your files without your password or recovery key — even by removing the drive and putting it in another PC. It is available on Windows 11 Pro and Enterprise. Here is how to enable it.

Before You Start

  • BitLocker requires Windows 11 Pro or Enterprise. Home edition has a limited version called Device Encryption (covered below).
  • Your PC needs a TPM chip (Trusted Platform Module), version 1.2 or later. Most PCs made after 2016 have one. Windows 11 requires TPM 2.0, so if you can run Windows 11, your PC almost certainly qualifies.
  • Save your BitLocker recovery key somewhere safe before you start — if you ever forget your PIN or the TPM fails, this 48-digit key is the only way to access your drive.

How to Enable BitLocker on the C: Drive

  1. Open File Explorer (Win + E)
  2. Right-click your C: drive under This PC
  3. Select Turn on BitLocker
  4. Choose how to unlock the drive at startup:
    • Enter a PIN — you type a PIN each time you start the PC. Most secure option for laptops.
    • Insert a USB flash drive — a USB drive acts as the key. Not practical for most users.
    • Let BitLocker automatically unlock — no extra step at startup; the TPM handles everything. Least disruptive for desktop PCs.
  5. Choose how to back up your recovery key:
    • Save to your Microsoft account — easiest option; recoverable from account.microsoft.com
    • Save to a USB flash drive
    • Save to a file — save the key file to a safe location (not the drive you are encrypting)
    • Print the recovery key — keep the printout in a secure place
  6. Choose Encrypt entire drive (recommended for drives already in use) or Encrypt used disk space only (faster for new drives)
  7. Choose encryption mode: New encryption mode (XTS-AES 128-bit) for fixed internal drives; Compatible mode only if the drive will also be used on older Windows versions
  8. Click Start encrypting

Encryption runs in the background. You can continue using your PC. The time it takes depends on drive size — a 500 GB drive typically takes 1–2 hours.

How to Check BitLocker Status

Right-click any drive in File Explorer. If BitLocker is on, you will see Manage BitLocker instead of Turn on BitLocker. The drive also shows a padlock icon.

From Command Prompt as Administrator:

manage-bde -status

This lists all drives and their encryption status, percentage complete, and protection status.

How to Encrypt a USB Drive or External Drive

BitLocker To Go encrypts USB drives and external hard drives using the same process:

  1. Insert the USB drive
  2. Right-click it in File Explorer and select Turn on BitLocker
  3. Choose a password to unlock the drive (this is what you enter when you plug it into any PC)
  4. Save the recovery key
  5. Start encrypting

Encrypted USB drives can be opened on any Windows PC — you will be prompted for the password when you plug it in.

How to Find Your BitLocker Recovery Key

If you saved it to your Microsoft account, go to account.microsoft.com/devices/recoverykey — all recovery keys linked to your account are listed there.

If your organisation manages your PC (joined to a domain or Azure AD), your IT administrator can retrieve it from Active Directory or Microsoft Entra ID.

BitLocker on Windows 11 Home — Device Encryption

Windows 11 Home does not have the full BitLocker interface, but it has Device Encryption — a simplified version that encrypts the entire drive automatically if your PC meets the requirements (Modern Standby, TPM 2.0, UEFI firmware).

Check if it is available: go to Settings → Privacy & security → Device encryption. If the toggle is there, you can turn it on.

Device Encryption links to your Microsoft account — if you ever need the recovery key, it is stored there.

How to Disable BitLocker

  1. Right-click the encrypted drive in File Explorer
  2. Select Manage BitLocker
  3. Click Turn off BitLocker
  4. Confirm — Windows decrypts the drive in the background

Decryption takes the same amount of time as encryption. You can use the PC while it runs.

Troubleshooting

“This Device Cannot Use a Trusted Platform Module”

Your TPM may be disabled in the UEFI/BIOS. Restart your PC, enter the BIOS setup (usually Del or F2 at startup), and look for a TPM or Security setting to enable it. On some systems it is labelled PTT (Platform Trust Technology) or fTPM.

BitLocker Keeps Asking for the Recovery Key on Startup

This usually happens after a hardware change, BIOS update, or change to the boot configuration. Enter the recovery key to unlock, then go to Manage BitLocker → Suspend protection → Resume protection to re-sync BitLocker with the TPM.

Forgot the BitLocker PIN

At the startup unlock screen, press Escape — you can enter the 48-digit recovery key instead. Retrieve it from your Microsoft account at account.microsoft.com/devices/recoverykey.

Stuart Stafford

S Stafford is a UK-based IT consultant and technology writer with over 30 years of hands-on experience in the industry, dating back to 1993. He specialises in cybersecurity, networking, server infrastructure, and AI tools for small and medium businesses, and writes practical guides aimed at helping UK business owners understand and implement technology confidently.

Sign Up For Daily Newsletter

Stay updated with our weekly newsletter. Subscribe now to never miss an update!

[mc4wp_form]

Leave a Reply

Your email address will not be published. Required fields are marked *