Don't See What You're Looking For?

Help Us Improve

Browse by Collection

Skip to end of metadata
Go to start of metadata

What is BitLocker?

BitLocker Drive Encryption is a security feature that encrypts everything on the hard drive. Device encryption helps protect your data by encrypting it. Only someone with the correct encryption key can decrypt it.

How Does BitLocker work?

BitLocker is used in conjunction with a piece of hardware called a Trusted Platform Module (TPM). The TPM is a smartcard-like module on the motherboard that is installed in many newer computers. When you enable BitLocker, a recovery key is generated.

BitLocker Requirements

To use BitLocker, your computer must meet certain requirements and be logged in as an administrator.

  • Operating system: Windows 10 - Education, Pro, or Enterprise edition
  • TPM installed and enabled
    • To check if your computer has a TPM chip, click on the Windows menu in the bottom left of your desktop, then go to Windows System > Control Panel > System and Security > BitLocker Drive Encryption. Alternatively you can type "Control Panel" in the search bar on the Task Bar if present.

    • Click on TPM Administration on the left side of the BitLocker Drive Encryption window.

    • You will then be brought to the TPM Administration window. Under "Status" if a TPM is present, the message will say "The TPM is ready for use."

    • You can also check for the TPM chip in Device Manager (Start > type Device Manager).


Store BitLocker Information on Active Directory

Please submit an RT ticket with Desktop Support or contact your DIT for assistance with this section.

In order for a computer with TPM to store BitLocker information to Active Directory, the operating system drive has to be a GUID Partition Table (GPT) partition. Follow the steps below to convert the Master Boot Record (MBR) drive to a GPT drive. You will then need to turn on Unified Extensible Firmware Interface (UEFI) boot in the Basic Input Output System (BIOS) menu.

  1. Log on to your computer with an administrative user account.
  2. Run Command Prompt (as Administrator) or Powershell (as Administrator).
  3. Run MBR2GPT /convert /disk:0 /AllowFullOS 
  4. Restart your computer, press F2 to get to the BIOS menu, and change to UEFI boot. Optional: Uncheck "Allow Legacy Boot" and enable "Secure Boot". Click Exit and Save. Your computer will reboot. 
  5. After your computer restarts, log on with an administrative user account.
  6. Run Command Prompt (as Administrator) and run "gpupdate /force" to force Group Policy update. Optional: Run RSoP.msc, check Group Policy settings on BitLocker.

How Do I Enable BitLocker?

If your computer meets the Windows version and TPM requirements, the process for enabling BitLocker is as follows:

  1. Click Start > Control Panel > System and Security > BitLocker Drive Encryption.

  2. Click Turn on BitLocker.
  3. BitLocker scans your computer to verify that it meets the system requirements.
    • If your computer meets the system requirements, the setup wizard continues with the BitLocker Startup Preferences.
    • If preparations need to be made to your computer to turn on BitLocker, they are displayed. Click Next.
    • When the BitLocker encryption process asks you how you want to back up your recovery key, just click Next. Do not select Save to a USB flash drive, Save to a file, or Print the recovery key.

  4. If prompted to do so, remove any CDs, DVDs, and USB flash drives from your computer and then click Shutdown.
  5. Turn your computer back on after shutdown. Follow the instructions in the message to continue initializing the TPM.
  6. If your computer shuts down again, turn it back on.
  7. The BitLocker setup wizard resumes automatically. Click Next.
  8. You will be prompted to restart your computer to start the encryption process. You can use your computer while your drive is being encrypted.

Regenerating a Copy of your Recovery Key

  1. Please submit an RT ticket to retrieve a copy of your recovery key.

Login Process After BitLocker is Enabled

The log in process to your computer will be the same after BitLocker is enabled on your computer. Since the BitLocker recovery key and information is stored on Active Directory, your log in process will not change, and will not need to provide a key or a PIN.


  1. Feedback: Correct or Suggest an Article | Request Help
  • No labels