BitLocker overview (2024)

Table of Contents
In this article Practical applications BitLocker and TPM System requirements Windows edition and licensing requirements Device encryption Difference between BitLocker and device encryption Disable device encryption Next steps FAQs

BitLocker is a Windows security feature that provides encryption for entire volumes, addressing the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned devices.

Practical applications

Data on a lost or stolen device is vulnerable to unauthorized access, either by running a software-attack tool against it, or by transferring the device's hard drive to a different device. BitLocker helps mitigate unauthorized data access by enhancing file and system protections, rendering data inaccessible when BitLocker-protected devices are decommissioned or recycled.

BitLocker and TPM

BitLocker provides maximum protection when used with a Trusted Platform Module (TPM), which is a common hardware component installed on Windows devices. The TPM works with BitLocker to ensure that a device hasn't been tampered with while the system is offline.

In addition to the TPM, BitLocker can lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable device that contains a startup key. These security measures provide multifactor authentication and assurance that the device can't start or resume from hibernation until the correct PIN or startup key is presented.

On devices that don't have a TPM, BitLocker can still be used to encrypt the operating system drive. This implementation requires the user to either:

  • use a startup key, which is a file stored on a removable drive that is used to start the device, or when resuming from hibernation
  • use a password. This option isn't secure since it's subject to brute force attacks as there isn't a password lockout logic. As such, the password option is discouraged and disabled by default

Both options don't provide the preboot system integrity verification offered by BitLocker with a TPM.

BitLocker preboot screen with startup key:

BitLocker preboot screen with PIN:

BitLocker preboot screen with password:

BitLocker overview (1)

BitLocker overview (2)

BitLocker overview (3)

See Also
3 Types of Encryption - Detailed Guide with Pros & ConsCryptographic Storage - OWASP Cheat Sheet SeriesHow often should you rotate your encryption keys?How do you securely manage and store your encryption keys?

System requirements

BitLocker has the following requirements:

  • For BitLocker to use the system integrity check provided by a TPM, the device must have TPM 1.2 or later versions. If a device doesn't have a TPM, saving a startup key on a removable drive is mandatory when enabling BitLocker

  • A device with a TPM must also have a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware. The BIOS or UEFI firmware establishes a chain of trust for the preboot startup, and it must include support for TCG-specified Static Root of Trust Measurement. A computer without a TPM doesn't require TCG-compliant firmware

  • The system BIOS or UEFI firmware (for TPM and non-TPM devices) must support the USB mass storage device class, and reading files on a USB drive in the preboot environment

    Note

    TPM 2.0 is not supported in Legacy and Compatibility Support Module (CSM) modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as native UEFI only. The Legacy and CSM options must be disabled. For added security, enable the secure boot feature.

    Installed operating system on hardware in Legacy mode stops the OS from booting when the BIOS mode is changed to UEFI. Use the tool mbr2gpt.exe before changing the BIOS mode, which prepares the OS and the disk to support UEFI.

  • The hard disk must be partitioned with at least two drives:

    • The operating system drive (or boot drive) contains the OS and its support files. It must be formatted with the NTFS file system

    • The system drive contains files required to boot, decrypt, and load the operating system. BitLocker isn't enabled on this drive. For BitLocker to work, the system drive:

      • must not be encrypted
      • must differ from the operating system drive
      • must be formatted with the FAT32 file system on computers that use UEFI-based firmware, or with the NTFS file system on computers that use BIOS firmware
      • it's recommended that to be approximately 350 MB in size. After BitLocker is turned on, it should have approximately 250 MB of free space

      Important

      When installed on a new device, Windows automatically creates the partitions that are required for BitLocker.

      See Also
      Customer-managed encryption keys  |  Cloud Storage  |  Google Cloud

      If the drive was prepared as a single contiguous space, BitLocker requires a new volume to hold the boot files. BdeHdCfg.exe can create the volume. For more information about using the tool, see Bdehdcfg in the Command-Line Reference.

Note

When installing the BitLocker optional component on a server, the Enhanced Storage feature must be installed. The feature is used to support hardware encrypted drives.

Windows edition and licensing requirements

The following table lists the Windows editions that support BitLocker enablement:

Windows ProWindows EnterpriseWindows Pro Education/SEWindows Education
YesYesYesYes

BitLocker enablement license entitlements are granted by the following licenses:

Windows Pro/Pro Education/SEWindows Enterprise E3Windows Enterprise E5Windows Education A3Windows Education A5
YesYesYesYesYes

For more information about Windows licensing, see Windows licensing overview.

Note

Licensing requirements for BitLocker enablement are different from the licensing requirements for BitLocker management. To learn more, review the how-to guide: configure BitLocker.

Device encryption

Device encryption is a Windows feature that provides a simple way for some devices to enable BitLocker encryption automatically. Device encryption is available on all Windows versions, and it requires a device to meet either Modern Standby or HSTI security requirements. Device encryption can't have externally accessible ports that allow DMA access. Device encryption encrypts only the OS drive and fixed drives, it doesn't encrypt external/USB drives.

Important

Starting in Windows 11, version 24H2, the prerequisites of DMA and HSTI/Modern Standby are removed. As a result, more devices are eligible for automatic and manual device encryption.For more information, see BitLocker drive encryption in Windows 11 for OEMs.

Unlike a standard BitLocker implementation, device encryption is enabled automatically so that the device is always protected. When a clean installation of Windows is completed and the out-of-box experience is finished, the device is prepared for first use. As part of this preparation, device encryption is initialized on the OS drive and fixed data drives on the computer with a clear key that is the equivalent of standard BitLocker suspended state. In this state, the drive is shown with a warning icon in Windows Explorer. The yellow warning icon is removed after the TPM protector is created and the recovery key is backed up.

  • If the device is Microsoft Entra joined or Active Directory domain joined, the clear key is removed once the recovery key is successfully backed up to Microsoft Entra ID or Active Directory Domain Services (AD DS). The following policy settings must be enabled for the recovery key to be backed up: Choose how BitLocker-protected operating system drives can be recovered
    • For Microsoft Entra joined devices: the recovery password is created automatically when the user authenticates to Microsoft Entra ID, then the recovery key is backed up to Microsoft Entra ID, the TPM protector is created, and the clear key is removed
    • For AD DS joined devices: the recovery password is created automatically when the computer joins the domain. The recovery key is then backed up to AD DS, the TPM protector is created, and the clear key is removed
  • If the device isn't Microsoft Entra joined or Active Directory domain joined, a Microsoft account with administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to the online Microsoft account, and a TPM protector is created. Should a device require the recovery key, the user is guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key by using their Microsoft account credentials
  • If a device uses only local accounts, then it remains unprotected even though the data is encrypted

Important

Device encryption uses the XTS-AES 128-bit encryption method, by default. In case you configure a policy setting to use a different encryption method, you can use the Enrollment Status Page to avoid the device to begin encryption with the default method. BitLocker has a logic that doesn't start encrypting until the end of OOBE, after the Enrollment Status Page device configuration phase is complete. This logic gives a device enough time to receive the BitLocker policy settings before starting encryption.

If a different encryption method and/or cipher strength is needed but the device is already encrypted, it must first be decrypted before the new encryption method and/or cipher strength can be applied. After the device is decrypted, you can apply different BitLocker settings.

If a device doesn't initially qualify for device encryption, but then a change is made that causes the device to qualify (for example, by turning on Secure Boot), device encryption enables BitLocker automatically as soon as it detects it.

You can check whether a device meets requirements for device encryption in the System Information app (msinfo32.exe). If the device meets the requirements, System Information shows a line that reads:

ItemValue
Device Encryption SupportMeets prerequisites

Difference between BitLocker and device encryption

  • Device encryption turns on BitLocker automatically on device encryption-qualifying devices, with the recovery key automatically backed up to Microsoft Entra ID, AD DS, or the user's Microsoft account
  • Device encryption adds a device encryption setting in the Settings app, which can be used to turn device encryption on or off
    • The Settings UI doesn't show device encryption enabled until encryption is complete

BitLocker overview (4)

Note

If device encryption is turned off, it will no longer automatically enable itself in the future. The user must enable it manually in Settings

Disable device encryption

It's recommended to keep device encryption on for any systems that support it. However, you can prevent the automatic device encryption process by changing the following registry setting:

PathNameTypeValue
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLockerPreventDeviceEncryptionREG_DWORD0x1

For more information about device encryption, see BitLocker device encryption hardware requirements.

Next steps

Learn about technologies and features to protect against attacks on the BitLocker encryption key:

BitLocker countermeasures >

BitLocker overview (2024)

FAQs

How can I skip BitLocker recovery? ›

Skip the first Bitlocker recovery key prompt by pressing Esc 4. Skip the second Bitlocker recovery key prompt by selecting Skip This Drive in the bottom right 5. Navigate to Troubleshoot > Advanced Options > Command Prompt 6.

Read On
Why is my laptop asking for BitLocker recovery key every time? ›

Basically it means that the particular file system is BitLocker encrypted, and the normal unlock mechanism is not working. For C:, BitLocker normally relies on getting codes to unlock the drive from the TPM chip (Trusted Platform Module) on the motherboard of the computer on which the drive was originally installed.

Discover More Details
How do I break BitLocker recovery loop? ›

How to bypass BitLocker recovery screen on startup?
  1. Method 1: Suspend BitLocker protection and resume it.
  2. Method 2: Remove the protectors from the boot drive.
  3. Method 3: Enable the secure boot.
  4. Method 4: Update your BIOS.
  5. Method 5: Disable the secure boot.
  6. Method 6: Use legacy boot.

Continue Reading
How many times can you fail BitLocker? ›

This means that a user could quickly attempt to use a key with the wrong authorization value 32 times. For each of the 32 attempts, the TPM records if the authorization value was correct or not. This inadvertently causes the TPM to enter a locked state after 32 failed attempts.

See Details
How do I force quit BitLocker? ›

Turn off Standard BitLocker encryption

Type and search [Manage BitLocker] in the Windows search bar①, then click [Open]②. Click [Turn off BitLocker]③ on the drive that you want to decrypt. If the drive is under locked status, you need to click [Unlock drive] and type the password to turn off BitLocker.

Find Out More
Is it possible to unlock BitLocker without a key? ›

If you do not have the BitLocker password and recovery key, you need to format the encrypted drive to remove the encryption or turn to third-party tools, such as Passware Kit, Elcomsoft Forensic Disk Decryptor, or Elcomsoft Distributed Password Recovery.

Tell Me More
How to solve BitLocker recovery key? ›

In your Microsoft account: Open a web browser on another device. Go to https://account.microsoft.com/devices/recoverykey to find your recovery key. Tip: You can sign into your Microsoft account on any device with internet access, such as a smartphone.

Show Me More
What triggers BitLocker recovery key prompt? ›

BitLocker recovery scenarios
  • Entering the wrong PIN too many times.
  • Turning off the support for reading the USB device in the preboot environment from the BIOS or UEFI firmware if using USB-based keys instead of a TPM.
  • Having the CD or DVD drive before the hard drive in the BIOS boot order (common with virtual machines)
Jun 18, 2024

Explore More
How do I get my computer to stop asking for a BitLocker recovery key? ›

Turn this off to save yourself from entering the recovery key each time Windows locks you out.
  1. Press the Windows key on your keyboard and open "Control Panel" by searching for it.
  2. Now select "Device Encryption" under "Control Panel" to open "Bitlocker" settings.
  3. Now, click on the "turn off auto-unlock" option.
Mar 14, 2024

Continue Reading
How do I get my computer out of BitLocker? ›

Follow the steps given below to remove bitlocker encryption in GUI mode,
  1. Click Start, click Control Panel, click System and Security, and then click BitLocker Drive Encryption.
  2. Look for the drive on which you want BitLocker Drive Encryption turned off, and click Turn Off BitLocker.

Show Me More

What do I do if I don't have a BitLocker recovery key? ›

If you are unable to locate a required BitLocker recovery key and are unable to revert a configuration change that might have caused it to be required, you must reset your device using one of the Windows 10 recovery options. Resetting your device removes all your files.

Read The Full Story
What is the command to unlock a BitLocker drive? ›

If the status is returned as locked, you must use the following command to unlock it using your recovery password: manage-bde -unlock c: -rp your 48-digit recovery password.

See Details
What happens if I skip BitLocker recovery? ›

Rod-IT: If you could bypass Bitlocker in some way, that would be a huge security risk. Devices are encrypted to keep unauthorized people out, if that so happens to be yourself because you've forgotten or no longer have the key - then the encryption has done it's job and kept people out.

Get More Info Here
Is BitLocker obsolete? ›

For your data protection needs, Microsoft recommends that you use Microsoft Purview Information Protection and Microsoft Purview Data Loss Prevention. Note: BitLocker to Go as a feature is still supported.

Continue Reading
Does wiping a drive remove BitLocker? ›

A BitLocker encrypted drive must be decrypted before it can be used again. However, in situations where the user is unable to decrypt the drive, the data and encryption must be removed from the drive. It can be achieved by using data-wiping software that is capable of wiping BitLocker encrypted drives.

View More
Is it possible to recover data without BitLocker recovery key? ›

Use BitLocker Repair Tool: The BitLocker Repair Tool is a built-in feature in Windows that can help repair encrypted drives without the recovery key. Users can access the tool through the BitLocker Drive Encryption Control Panel and follow the instructions to repair the drive's encryption metadata.

View Details
How to reset without BitLocker recovery key? ›

How to Reset PC Without BitLocker Recovery Key
  1. Click the Power icon at the bottom of your computer's screen, and then hold the Shift key and select Restart to enter WinRE.
  2. Access the Advanced options menu, and then click on Troubleshoot > Reset this PC.
Jun 13, 2024

See More
Top Articles
NUMBERS - Apple iWork Numbers spreadsheet
Income Statement vs Balance Sheet: What’s the Difference? | Lendio
Swimgs Yuzzle Wuzzle Yups Wits Sadie Plant Tune 3 Tabs Winnie The Pooh Halloween Bob The Builder Christmas Autumns Cow Dog Pig Tim Cook’s Birthday Buff Work It Out Wombats Pineview Playtime Chronicles Day Of The Dead The Alpha Baa Baa Twinkle
Methstreams Boxing Stream
Trabestis En Beaumont
Beacon Schnider
Kansas Craigslist Free Stuff
EY – все про компанію - Happy Monday
Kris Carolla Obituary
Lowes 385
Cosentyx® 75 mg Injektionslösung in einer Fertigspritze - PatientenInfo-Service
Midway Antique Mall Consignor Access
Urinevlekken verwijderen: De meest effectieve methoden - Puurlv
My.doculivery.com/Crowncork
Love Compatibility Test / Calculator by Horoscope | MyAstrology
Slag bij Plataeae tussen de Grieken en de Perzen
Culvers Tartar Sauce
Jasmine Put A Ring On It Age
Cooktopcove Com
iLuv Aud Click: Tragbarer Wi-Fi-Lautsprecher für Amazons Alexa - Portable Echo Alternative
Eva Mastromatteo Erie Pa
Dumb Money, la recensione: Paul Dano e quel film biografico sul caso GameStop
Edicts Of The Prime Designate
Rufus Benton "Bent" Moulds Jr. Obituary 2024 - Webb & Stephens Funeral Homes
Optum Urgent Care - Nutley Photos
R. Kelly Net Worth 2024: The King Of R&B's Rise And Fall
Disputes over ESPN, Disney and DirecTV go to the heart of TV's existential problems
What Individuals Need to Know When Raising Money for a Charitable Cause
Gilchrist Verband - Lumedis - Ihre Schulterspezialisten
Netspend Ssi Deposit Dates For 2022 November
Unreasonable Zen Riddle Crossword
Best Town Hall 11
Alternatieven - Acteamo - WebCatalog
417-990-0201
Kaiser Infozone
Craigslist Free Stuff San Gabriel Valley
Housing Assistance Rental Assistance Program RAP
Navigating change - the workplace of tomorrow - key takeaways
The best Verizon phones for 2024
Fototour verlassener Fliegerhorst Schönwald [Lost Place Brandenburg]
Craigslist en Santa Cruz, California: Tu Guía Definitiva para Comprar, Vender e Intercambiar - First Republic Craigslist
Devon Lannigan Obituary
Cl Bellingham
ESA Science & Technology - The remarkable Red Rectangle: A stairway to heaven? [heic0408]
Spurs Basketball Reference
855-539-4712
Mail2World Sign Up
Fallout 76 Fox Locations
Verilife Williamsport Reviews
Karen Kripas Obituary
E. 81 St. Deli Menu
Salem witch trials - Hysteria, Accusations, Executions
Latest Posts
Best VPN for 5G Devices: Reviews & Offers in 2024
Price Rebate: Definition, Meaning, Examples and Strategies
Article information

Author: Fredrick Kertzmann

Last Updated:

Views: 5989

Rating: 4.6 / 5 (66 voted)

Reviews: 81% of readers found this page helpful

Author information

Name: Fredrick Kertzmann

Birthday: 2000-04-29

Address: Apt. 203 613 Huels Gateway, Ralphtown, LA 40204

Phone: +2135150832870

Job: Regional Design Producer

Hobby: Nordic skating, Lacemaking, Mountain biking, Rowing, Gardening, Water sports, role-playing games

Introduction: My name is Fredrick Kertzmann, I am a gleaming, encouraging, inexpensive, thankful, tender, quaint, precious person who loves writing and wants to share my knowledge and understanding with you.