Encrypting Windows 10 with BitLocker

This content is 8 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

In common with many small business owners (indeed any business owner, it could be argued), my wife needs to be sure that her customer’s data is adequately protected. In her case that means professional cloud services for email (Office 365) and PC backup (Azure) but the data on the PC needs to be protected too…

All major operating systems come with whole drive encryption technologies these days – and for Windows that feature is BitLocker.

When we replaced my wife’s PC a few months ago, I picked what seemed a good small business laptop from Lenovo – a Thinkpad E550 – and, by and large, I’ve been pleased with the purchase.  Somewhat frustratingly though, the PC shipped with Windows 8 (not Pro) and so it has been updated to Windows 8.1 then to Windows 10 Home. That meant that, when I attempted to encrypt the drive by right-clicking in File Explorer, there was no Manage BitLocker option (and the BitLocker Settings stub in Settings, System, About didn’t do anything). Folder-level encryption with the Encrypted File System (EFS) was similarly unavailable (although greyed out, rather than invisible), even when I tried to manually enable it with sc config EFS start= demand.

Whilst there are alternatives available, my support model for my wife’s PC is KISS (“keep it simple, stupid”), as the last thing I need whilst I’m consulting with my own customers is to be worrying about support issues with family devices, so I decided to stick with the technology that’s built into Windows. That meant an upgrade to Windows 10 Pro.

Thinking $99 isn’t too bad a price to pay (after all, this is a business expense for my wife)… I clicked Settings, Update & Security, Activation, Go to Store, only to find that it’s £99.99 in the UK – a £33, or 50%, uplift at today’s exchange rates. By this point I’m starting to feel a little ripped off… although I’m not sure if I’m more annoyed with Lenovo selling a small business PC with an inadequate version of Windows, or Microsoft for only putting encryption in the high-end Windows versions…

Windows 10 Edition upgrade completed

The final point to remember is that not all PCs have a Trusted Platform Module (TPM) chip.

BitLocker error on PC without a trusted platform module

That’s not a problem if you’re prepared to use a USB flash drive as a startup-key. It just needs a little policy change (run gpedit.msc, then Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Bit Locker Drive Encryption\Operating System Drives\Require additional authentication at startup) after which you can work through the BitLocker encryption process as usual but with an extra choice whether to use a USB key or enter a password:

Allow BitLocker without a compatible TPM

Choose how to unlock your drive at startup

2 thoughts on “Encrypting Windows 10 with BitLocker

  1. I’m not worried about the keys being held in a Microsoft account but as far as I can tell device encryption is limited to certain devices and didn’t appear to be present in my wife’s ThinkPad.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.