BitLocker encrypts the entire hard drive on a Windows laptop so that if the device is lost or stolen, nobody can read the data without the correct credentials. For any business laptop that leaves the office, enabling BitLocker is one of the most important security steps you can take. Most cyber insurance policies now require full disk encryption, and compliance frameworks like HIPAA and PCI DSS expect it as a baseline control.
The good news is that BitLocker is built into Windows Pro and Enterprise at no additional cost, and on modern hardware with an SSD, you will not notice any performance impact.
What You Will Need
Before you begin, confirm you have the following:
- Windows 10 or 11 Pro or Enterprise. BitLocker is not available on Windows Home. If you are unsure which edition you have, go to Settings > System > About and look for the "Edition" line.
- A TPM (Trusted Platform Module) chip, version 1.2 or later. Virtually all business laptops manufactured after 2016 include one. You will verify this in Step 1 below.
- Administrator access to the device.
- A plan for storing BitLocker recovery keys securely. This is critical. If you lose the recovery key and the user gets locked out, the data on the drive is permanently inaccessible.
Why BitLocker Matters for Your Business
A lost or stolen laptop without encryption is an open book. Anyone with basic tools and a few minutes can remove the hard drive, plug it into another computer, and read every file on it. Client records, financial data, saved passwords, email archives, all of it.
With BitLocker enabled, the drive is unreadable without the correct Windows login or recovery key. That means if a laptop goes missing, you can report it to your insurance carrier and your clients with confidence that the data is protected.
Beyond the security benefit, BitLocker is required by most cyber insurance policies and by compliance frameworks including HIPAA, PCI DSS, and CIS Controls. If you are ever audited or need to file a claim, having encryption enabled on every device is something you will need to demonstrate.
On modern hardware with solid-state drives, BitLocker runs with no noticeable performance impact. Your employees will not feel a difference.
Step 1: Verify That TPM Is Available and Enabled
Press Windows + R on your keyboard to open the Run dialog. Type tpm.msc and press Enter. This opens the TPM Management window.
If the TPM is working correctly, you will see a status message that reads "The TPM is ready for use." You should also see the TPM version listed (2.0 is ideal, and 1.2 will work).
If the window says TPM is not found, the chip may be disabled in the BIOS. Restart the computer and enter the BIOS setup (usually by pressing F2, F12, or Delete during startup, depending on the manufacturer). Navigate to the Security section and look for a TPM setting. Enable it, save your changes, and boot back into Windows. Then run tpm.msc again to confirm.
If the device genuinely has no TPM, which is rare on any business laptop from the last decade, BitLocker can still work using a USB startup key. However, this is not recommended for most businesses because the employee would need to insert the USB key every time the laptop starts, and if the USB key is lost alongside the laptop, the encryption is compromised.
Step 2: Enable BitLocker
There are two paths depending on your Windows version.
On Windows 11: Go to Settings > Privacy & security > Device encryption. If the device meets the requirements, you will see a toggle to turn on device encryption. Toggle it on.
On Windows 10 or 11 (full BitLocker settings): Open Control Panel > System and Security > BitLocker Drive Encryption. Click Turn on BitLocker next to your C: drive.
Windows will walk you through a short setup wizard. When prompted for the encryption method, select XTS-AES 256-bit. This is the most secure option and is the standard for business use.
Next, you will be asked what to encrypt. Choose "Encrypt entire drive" if the laptop has been in use and contains existing data. Choose "Encrypt used disk space only" if the laptop is brand new and has not been used yet; this option is faster because it only encrypts the portions of the drive that contain data (new data will be encrypted automatically going forward).
Once you confirm, encryption begins in the background. The laptop can be used normally while this runs. Encryption time depends on the drive size and type. A 256 GB SSD typically takes 30 to 60 minutes. A larger or slower drive may take longer.
Step 3: Back Up the Recovery Key (This Is Critical)
During the BitLocker setup wizard, Windows will prompt you to back up your recovery key. The recovery key is a 48-digit numerical code that can unlock the drive if normal login fails. Do not skip this step.
Best option: Save to Entra ID. If the device is joined to your company's Entra ID (formerly Azure AD) tenant, select the option to save the recovery key to your Azure AD account. The key is then stored securely in the Entra admin center, where any authorized IT administrator can retrieve it. This is the recommended approach because recovery keys are centrally managed and cannot be lost by individual employees.
Alternative: Save to a USB drive. Save the key file to a USB drive and store that USB drive in a secure location, not with the laptop itself.
Alternative: Print it. Print the recovery key and store the printed copy in a locked cabinet or safe.
There are two things you should never do with recovery keys. First, do not save the recovery key only on the encrypted drive itself. If you are locked out of the drive, you will not be able to access the key. Second, do not email recovery keys in plain text. If the email account is compromised, the attacker would have the key to decrypt the drive.
If a recovery key is lost and the user gets locked out, the data on the drive is permanently inaccessible. There is no backdoor.
Step 4: Verify That Encryption Is Active
After encryption completes, verify the status. Go to Control Panel > BitLocker Drive Encryption. The status should show "BitLocker on" next to your C: drive, along with a note that the drive is encrypted.
For a more detailed check, open PowerShell as administrator (right-click the Start button, select Terminal (Admin) or Windows PowerShell (Admin)) and run:
manage-bde -status C:
Look for two lines in the output: "Protection Status: Protection On" and "Encryption Method: XTS-AES 256." If both are present, BitLocker is fully active and using the strongest encryption method.
Managing BitLocker Across Multiple Devices
If your office has more than a handful of laptops, enabling BitLocker one machine at a time is not practical. This is where Microsoft Intune becomes valuable. If your business uses Microsoft 365 Business Premium, Intune is included at no extra cost.
With Intune, you can create a device configuration policy that enforces BitLocker automatically on every enrolled device. When a new laptop is enrolled, Intune pushes the BitLocker policy and encryption begins without anyone needing to touch the machine manually. Recovery keys are automatically stored in Entra ID, so your IT team can retrieve them from a central console whenever needed.
Intune also provides compliance policies that flag any device where BitLocker is not active. You can pull reports showing encryption status across your entire fleet, which is exactly what auditors and insurance carriers ask for. This is how Athencia manages BitLocker for its clients: encryption is enforced by policy, recovery keys are centrally stored, and compliance is continuously monitored through the Athencia One Portal.
When the Recovery Key Is Needed
There are several situations where BitLocker will ask for the recovery key instead of allowing a normal login:
- After a BIOS or firmware update. Changes to the system firmware can trigger BitLocker's tamper detection.
- If the TPM detects a change to the boot configuration. This is a security feature; if something in the startup process has changed unexpectedly, BitLocker wants to verify the user is authorized.
- If the hard drive is moved to a different computer. BitLocker ties the encryption to the specific TPM chip in the original device.
- After certain Windows updates. This is rare, but some major updates can trigger a recovery key prompt.
- If the user forgets their Windows password and the device locks out.
In all of these cases, having recovery keys stored centrally in Entra ID means your IT team (or Athencia's support team) can retrieve the key and get the user back into their laptop within minutes rather than hours.
Need Help?
Enabling BitLocker on a single laptop is straightforward, but managing encryption across an entire office requires the right policies and tools. If you need help enforcing BitLocker across your devices or setting up centralized recovery key management, reach out to Athencia. We will get your fleet encrypted and compliant.
