Privacy and Security Turn On BitLocker for Operating System Drive in Windows 11


  • Staff
BitLocker_OS_banner.png

BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned drives and computers.

New files are automatically encrypted when you save them to a drive encrypted by BitLocker. However, if you copy these files to another drive or a different PC not encrypted by BitLocker, the files are automatically decrypted.

BitLocker checks the PC during startup for any conditions that could represent a security risk (for example, a change to the BIOS software that starts the operating system when you turn on your PC, or changes to any startup files). If a potential security risk is detected, BitLocker will lock the operating system drive and you'll need a special BitLocker recovery key to unlock it.

You can choose to unlock BitLocker at startup for the operating system drive with a PIN, with USB flash drive, or automatically with TPM.

BitLocker is turned on by default for devices (ex: tablet or 2-in1) that support Modern Standby.

This tutorial will show you how to turn on BitLocker Drive Encryption for an operating system drive in Windows 11.


You must be signed in as an administrator to turn on BitLocker Drive Encryption for an operating system drive.

BitLocker Drive Encryption is only available in the Windows 11 Pro, Enterprise, and Education editions.



EXAMPLE: BitLocker turned on for OS drive in File Explorer > This PC, and if you choose to unlock BitLocker at startup with a PIN

BitLocker_This-PC.png

BitLocker_PIN_at_startup.png




Here's How:

1 If you like, set a default encryption method (XTS-AES or AES-CBC) and cipher strength (128 bit or 256 bit) you want used by BitLocker.

BitLocker Drive Encryption uses AES-CBC 128 bit by default for operating system drives.

XTS-AES 256 bit offers the strongest encryption strength available for BitLocker.


2 Do step 3 (automatically with TPM) or step 4 (add PIN and USB) below for how you want to unlock BitLocker for the OS drive at startup.


3 To Only Unlock BitLocker for Operating System Drive at Startup Automatically with TPM

A) No need to do anything else. Go to step 5 below.​


4 To Unlock BitLocker for Operating System Drive at Startup with PIN, USB, or Automatically with TPM

If you want to use a PIN to unlock BitLocker for the OS drive, you can also enable enhanced PINs for startup and specify a minimum PIN length.

This will add Change how drive is unlocked at startup to BitLocker Manager operating System drive settings in Control Panel > BitLocker Drive Encryption.


A) For how, see:​


B) Go to step 5 below.​

5 Open This PC in File Explorer (Win+E).

6 Right click or press and hold on the OS drive (ex: "C") you want to encrypt with BitLocker, and click/tap on Turn on BitLocker. (see screenshot below)

BitLocker_OS-1.png

7 Choose how (ex: PIN, USB, or automatically with TPM) you want to unlock the OS drive at startup. (see screenshot below)

This step will only be available if you did step 4.

If you didn't do step 4, go to step 8 instead.


BitLocker_OS-2.png

Enter a PIN - This option allows you to unlock the operating system drive at startup with a 6-20 digit PIN.

BitLocker_OS-3.png

Insert USB flash drive = This option allows you to unlock the operating system drive with a connected USB flash drive with the startup key saved on it.

BitLocker_OS-4.png

Let BitLocker automatically unlock my drive = This option allows BitLocker to automatically unlock the OS drive at startup with TPM.


8 Select how (Microsoft account, file, and/or print) you want to back up your BitLocker recovery key for this OS drive. (see screenshot below)

Microsoft account = This option is only available if you are signed in to Windows 11 with a Microsoft account. It will save the BitLocker recovery key to your Microsoft account online at https://account.microsoft.com/devices/recoverykey.

File = This option will save the BitLocker recovery key to a TXT file at a folder location you select.

Print = This option will print the BitLocker recovery key to the selected printer.


BitLocker_OS-5.png

9 When finished backing up your BitLocker recovery key where you want, click/tap on Next. (see screenshot below)

BitLocker_OS-6.png

10 Select (dot) Encrypt used disk space only or Encrypt entire drive for how much of your drive to encrypt right now, and click/tap on Next. (see screenshot below)

It is recommended to select Encrypt entire drive.


BitLocker_OS-7.png

11 Select (dot) which encryption mode to use, and click/tap on Next. (see screenshot below)

If you did step 1 above to set a default encryption method and cipher strength, then you will not have this setting available since BitLocker will use what you set in step 1 instead.

New encryption mode (XTS-AES 128-bit) = Select this mode if this is a fixed drive or if this drive will only be used on devices running Windows 10 or Windows 11.

Compatible mode (AES-CBC 128-bit) = Select this mode if this is a removable drive that you're going to use on an older version of Windows (ex: Vista, Windows 7, or Windows 8/8.1).


BitLocker_OS-8.png

12 Uncheck or check (recommended) the Run BitLocker system check box for what you want, and click/tap on Continue (checked) or Start encrypting (unchecked) when ready to start encrypting. (see screenshot below)

If you check the box, you will need to click/tap on Restart now after clicking on "Continue".

BitLocker_OS-11.png BitLocker_OS-10.png


BitLocker_OS-9.png

13 The operating system drive will now start encrypting. (see screenshot below)

This could take a long time to finish depending on the size of the drive and how much data on the drive is being encrypted.


BitLocker_OS-12.png

14 When encryption has finished, click/tap on Close. (see screenshot below)

BitLocker_OS-13.png


That's it,
Shawn Brink


 

Attachments

  • BitLocker_OS.png
    BitLocker_OS.png
    7.1 KB · Views: 69
Last edited:
Top Bottom