What is BitLocker — and why every business laptop should have it enabled

What is BitLocker?

BitLocker is Microsoft's full-disk encryption feature, built into Windows Professional, Enterprise, and Education editions (and available in a limited form — "Device Encryption" — on Windows Home). When enabled, it encrypts the entire contents of your drive using AES-256 encryption — the same standard used by governments and financial institutions.

Full-disk encryption means that every file on the drive — the operating system, your documents, your passwords, your emails, your business data — is stored in an unreadable, scrambled form. The data can only be read when decrypted using the correct encryption key, which is tied to your login credentials or a separate recovery key.

BitLocker is free, built into Windows, and requires no ongoing maintenance once enabled. It works silently in the background — you won't notice it while working, and it doesn't significantly affect performance on modern hardware.

Why it matters

The scenario BitLocker is designed for is simple: a laptop is lost or stolen.

Without disk encryption, anyone who finds or steals your laptop can remove the drive, plug it into another machine, and read every file on it — regardless of your Windows password. Your password protects your account; it doesn't protect the data on the drive itself. The data is stored in plain text and is fully readable by anyone with physical access.

With BitLocker enabled, a stolen laptop is a useless piece of hardware. The drive contains only encrypted data that is unreadable without the key. There is no practical way to decrypt it without your credentials.

In many jurisdictions, losing an unencrypted device containing personal data of clients or employees constitutes a reportable data breach under GDPR. Encryption is one of the most recognised mitigating factors — a lost device that was encrypted may not require a breach notification at all.

How it works

BitLocker uses a combination of hardware and software to protect the drive:

• TPM (Trusted Platform Module): A dedicated security chip built into most modern laptops and PCs, manufactured after 2016. The TPM stores the encryption key in hardware and will only release it if the boot sequence is unchanged and untampered. If someone removes the drive and tries to access it on a different machine, the TPM key is unavailable and the data cannot be decrypted.
• AES-256 encryption: BitLocker encrypts data using the Advanced Encryption Standard with a 256-bit key. Brute-forcing this encryption would take longer than the age of the universe with current computing technology.
• Pre-boot authentication (optional): BitLocker can be configured to require a PIN at startup — before Windows even loads. This adds a second layer of protection even if someone has the physical machine.

When BitLocker is enabled and you log into Windows normally, the decryption happens automatically and invisibly. You don't type encryption passwords, you don't notice any slowdown — it just works.

How to enable BitLocker

Enabling BitLocker on Windows 10 or 11 Professional:

• Open the Start menu and search for "Manage BitLocker" — click the result
• You'll see a list of your drives. On the system drive (usually C:), click "Turn on BitLocker"
• Windows will check that your computer has a compatible TPM chip. Most laptops manufactured after 2016 do.
• You'll be prompted to choose how to save your recovery key — save it to your Microsoft account, a USB drive, or print it. Save it somewhere safe and separate from the laptop.
• Choose whether to encrypt used disk space only (faster, suitable for new machines) or the entire drive (slower, more thorough — recommended for drives already in use)
• Click "Start encrypting." The process runs in the background and may take from minutes to a few hours depending on drive size

On Windows Home, look for "Device Encryption" in Settings → Privacy & Security → Device Encryption. The interface is simpler and some configuration options are absent, but it provides the same core protection.

The recovery key — don't lose it

When you enable BitLocker, Windows generates a 48-digit recovery key. This key is your last resort if something goes wrong — if the TPM chip fails, if you forget your PIN, if a Windows update causes a boot change that triggers BitLocker's tamper detection.

In these scenarios, Windows will ask for the recovery key before allowing access. If you've lost the key, the data on the drive is permanently inaccessible — even to Microsoft, even to professional data recovery services. This is the correct security outcome, but it means you must treat the recovery key with the same care as you would a master password.

• Save the recovery key to your Microsoft account — then you can retrieve it from account.microsoft.com if needed
• Save a backup copy in your password manager
• For business machines, store recovery keys in a secure, centralised location — Azure Active Directory / Entra ID can store them automatically for managed devices
• Never store the recovery key on the encrypted drive itself — that defeats the purpose

The takeaway

BitLocker is one of the simplest, most impactful security measures available to any Windows user. It's free, it's already installed, and enabling it takes five minutes. The protection it provides — against a lost or stolen device becoming a data breach — is substantial and permanent.

For businesses handling any sensitive data, enabling BitLocker on every device should be a minimum baseline — not an optional extra.