BitLocker Encryption for Business: How to Set Up & Manage

If a company laptop goes missing — left in a taxi, stolen from a car, or lost at an airport — the hardware cost is the least of your worries. Without disk encryption, whoever finds that device has unrestricted access to every file, email, and credential stored on it. That's a data breach, a potential ICO investigation, and a serious hit to client trust.

BitLocker, built into Windows 10 Pro and Windows 11 Pro, encrypts your entire hard drive so that data is unreadable without proper authentication. For UK businesses, it's one of the simplest and most cost-effective security measures you can implement — and it's a requirement for Cyber Essentials certification.

What Is BitLocker and How Does It Work?

BitLocker is Microsoft's full-disk encryption feature. It encrypts every sector of your hard drive using AES-128 or AES-256 encryption, meaning even if someone removes the drive and connects it to another computer, the data remains unreadable.

Authentication happens before Windows loads, using one of these methods:

• TPM only: The Trusted Platform Module chip unlocks the drive automatically when the correct hardware is detected — seamless for users but vulnerable if the entire device is stolen while powered on
• TPM + PIN: Requires a numeric PIN at boot before Windows loads — the recommended option for business laptops
• TPM + USB key: A USB drive must be inserted at boot to unlock the disk
• Password only: For machines without TPM chips (not recommended for business use)

Why Every Business Should Enable BitLocker

• Regulatory compliance: GDPR requires 'appropriate technical measures' to protect personal data — encryption is explicitly cited as an example. Cyber Essentials mandates encryption on all mobile devices
• Data breach prevention: A lost encrypted laptop is an inconvenience. A lost unencrypted laptop is a reportable data breach
• No cost: BitLocker is included free with Windows Pro editions — there's no licensing fee
• Minimal user impact: With TPM + PIN, users enter a short PIN at boot and experience no performance difference during normal use
• Remote management: BitLocker integrates with Microsoft Intune and Active Directory for centralised key management and policy enforcement

Prerequisites for BitLocker

Before enabling BitLocker across your business, confirm these requirements:

• Windows Pro, Enterprise, or Education: BitLocker is not available on Windows Home editions. If any PCs run Home, you'll need to upgrade
• TPM 2.0: All modern business PCs (2016+) include TPM 2.0. Check via tpm.msc — the status should show 'The TPM is ready for use'
• UEFI firmware: Legacy BIOS systems don't support modern BitLocker configurations
• Administrator access: You need local admin rights to enable BitLocker

How to Enable BitLocker: Step by Step

On a Single PC

• Open Control Panel → System and Security → BitLocker Drive Encryption
• Click Turn on BitLocker next to your C: drive
• Choose how to unlock at startup — select Enter a PIN for best security
• Set a 6-20 digit PIN (avoid obvious sequences like 123456)
• Choose where to save the recovery key — Save to your Microsoft account or Save to a file on a separate USB drive
• Select Encrypt entire drive (not 'used disk space only' — this leaves deleted data recoverable)
• Choose New encryption mode (XTS-AES) for internal drives
• Click Start Encrypting

Initial encryption takes 30 minutes to several hours depending on drive size and speed. The PC remains usable during encryption.

Across Multiple PCs with Intune

For businesses with 10+ PCs, manual setup doesn't scale. Microsoft Intune (included with Microsoft 365 Business Premium) lets you:

• Push BitLocker policies to all enrolled devices automatically
• Enforce encryption standards (AES-256, TPM + PIN requirement)
• Automatically escrow recovery keys to Azure AD — no more lost keys
• Monitor encryption status across your entire fleet from a single dashboard
• Enforce compliance policies that block access to company data from unencrypted devices

Managing Recovery Keys — The Critical Part

Recovery keys are the most important aspect of BitLocker management. If a user forgets their PIN, their motherboard is replaced, or a firmware update triggers a recovery event, the 48-digit recovery key is the only way to access the drive.

Do:

• Store recovery keys centrally — Azure AD, Active Directory, or a secure password manager
• Test your recovery process before you need it in an emergency
• Document which key belongs to which device
• Set up automated key escrow through Intune or Group Policy

Don't:

• Let users save recovery keys to the same encrypted drive (this is surprisingly common)
• Store keys in a spreadsheet on a shared drive
• Lose track of keys when staff leave or machines are reassigned

BitLocker and Cyber Essentials Compliance

Cyber Essentials — the UK government-backed certification scheme — requires that all mobile devices (laptops, tablets) use encryption to protect data at rest. BitLocker is the simplest way to meet this requirement on Windows devices.

For business cyber security, BitLocker should be part of a layered approach that includes endpoint detection and response (EDR), multi-factor authentication, and regular security awareness training.

Common BitLocker Issues and How to Solve Them

• Recovery mode triggered after BIOS update: Expected behaviour — enter the recovery key, then re-verify the TPM in BitLocker settings
• Performance concerns: On modern SSDs, BitLocker's performance impact is under 5% — imperceptible in daily use
• Dual-boot systems: BitLocker can cause complications with dual-boot configurations. For business PCs, avoid dual-boot setups
• Encrypting external drives: Use BitLocker To Go for USB drives that carry sensitive data

Do You Need Help Deploying BitLocker?

For a handful of PCs, enabling BitLocker is straightforward. But for businesses with 20+ machines, you need centralised key management, compliance monitoring, and a reliable recovery process. An IT support provider can deploy BitLocker across your fleet, integrate it with Azure AD, and ensure you're fully compliant with Cyber Essentials requirements.