BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned drives and computers.
New files are automatically encrypted when you save them to a drive encrypted by BitLocker. However, if you copy these files to another drive or a different PC not encrypted by BitLocker, the files are automatically decrypted.
BitLocker checks the PC during startup for any conditions that could represent a security risk (for example, a change to the BIOS software that starts the operating system when you turn on your PC, or changes to any startup files). If a potential security risk is detected, BitLocker will lock the operating system drive and you'll need a special BitLocker recovery key to unlock it.
You can choose to unlock BitLocker at startup for the operating system drive with a PIN, with USB flash drive, or automatically with TPM.
This tutorial will show you how to turn on BitLocker Drive Encryption for an operating system drive in Windows 11.
You must be signed in as an administrator to turn on BitLocker Drive Encryption for an operating system drive.
BitLocker Drive Encryption is only available in the Windows 11 Pro, Enterprise, and Education editions.
EXAMPLE: BitLocker turned on for OS drive in File Explorer > This PC, and if you choose to unlock BitLocker at startup with a PIN
If you like, set a default encryption method (XTS-AES or AES-CBC) and cipher strength (128 bit or 256 bit) you want used by BitLocker.
BitLocker Drive Encryption uses AES-CBC 128 bit by default for operating system drives.
XTS-AES 256 bit offers the strongest encryption strength available for BitLocker.
Do step 3 (automatically with TPM) or step 4 (add PIN and USB) below for how you want to unlock BitLocker for the OS drive at startup.
If you want to use a PIN to unlock BitLocker for the OS drive, you can also enable enhanced PINs for startup and specify a minimum PIN length.
This will add Change how drive is unlocked at startup to BitLocker Manager operating System drive settings in Control Panel > BitLocker Drive Encryption.
Open This PC in File Explorer (Win+E).
Right click or press and hold on the OS drive (ex: "C") you want to encrypt with BitLocker, and click/tap on Turn on BitLocker. (see screenshot below)
Choose how (ex: PIN, USB, or automatically with TPM) you want to unlock the OS drive at startup. (see screenshot below)
Enter a PIN - This option allows you to unlock the operating system drive at startup with a 6-20 digit PIN.
Insert USB flash drive = This option allows you to unlock the operating system drive with a connected USB flash drive with the startup key saved on it.
Let BitLocker automatically unlock my drive = This option allows BitLocker to automatically unlock the OS drive at startup with TPM.
Select how (Microsoft account, file, and/or print) you want to back up your BitLocker recovery key for this OS drive. (see screenshot below)
Microsoft account = This option is only available if you are signed in to Windows 11 with a Microsoft account. It will save the BitLocker recovery key to your Microsoft account online at https://account.microsoft.com/devices/recoverykey.
File = This option will save the BitLocker recovery key to a TXT file at a folder location you select.
Print = This option will print the BitLocker recovery key to the selected printer.
When finished backing up your BitLocker recovery key where you want, click/tap on Next. (see screenshot below)
Select (dot) Encrypt used disk space only or Encrypt entire drive for how much of your drive to encrypt right now, and click/tap on Next. (see screenshot below)
It is recommended to select Encrypt entire drive.
Select (dot) which encryption mode to use, and click/tap on Next. (see screenshot below)
If you did step 1 above to set a default encryption method and cipher strength, then you will not have this setting available since BitLocker will use what you set in step 1 instead.
New encryption mode (XTS-AES 128-bit) = Select this mode if this is a fixed drive or if this drive will only be used on devices running Windows 10 or Windows 11.
Compatible mode (AES-CBC 128-bit) = Select this mode if this is a removable drive that you're going to use on an older version of Windows (ex: Vista, Windows 7, or Windows 8/8.1).
Uncheck or check (recommended) the Run BitLocker system check box for what you want, and click/tap on Continue (checked) or Start encrypting (unchecked) when ready to start encrypting. (see screenshot below)
The operating system drive will now start encrypting. (see screenshot below)
This could take a long time to finish depending on the size of the drive and how much data on the drive is being encrypted.
When encryption has finished, click/tap on Close. (see screenshot below)
- Turn On or Off Device Encryption in Windows 11
- Enable or Disable BitLocker to Unlock OS drive at Startup with PIN and USB in Windows 11
- Change how BitLocker Unlocks OS Drive at Startup in Windows 11
- Turn On BitLocker for Fixed Data Drive in Windows 11
- Turn On BitLocker for Removable Data Drive in Windows 11
- Turn Off BitLocker for Drive in Windows 11
- Add Turn off BitLocker context menu in Windows 11
- Add or Remove Turn on BitLocker context menu in Windows 11
- Add BitLocker Status for Drive Context Menu in Windows 11
- Add Suspend BitLocker protection to Context Menu in Windows 11
- Turn On or Off Auto-unlock for BitLocker Drive in Windows 11