BitLocker comes free with every Windows PC. Here is how to set it up.

Windows encrypts your hard drive whether you asked it to or not. On a new Windows 11 laptop bought from JB Hi-Fi or Officeworks this year, the odds are better than even that BitLocker is already running, quietly scrambling every sector of your SSD with AES encryption before you ever see the desktop. You might not notice until the day the motherboard fails and the repair shop asks for a recovery key you did not know existed.

The Australian Signals Directorate has been unambiguous about this for years: full-disk encryption is a baseline control, not a nice-to-have. Its 2024 guide for small and medium businesses lists it alongside patching and multi-factor authentication as a first-line defence. “Full disk encryption should be applied to businesses’ devices, such as servers, mobile phones and laptops, that access or store customers’ personal data,” the ACSC wrote. There is no carve-out for sole traders, no exemption for the home office. If customer data lives on the drive, the drive gets encrypted.

What BitLocker actually does

BitLocker encrypts an entire volume at the block level. Once turned on, every byte written to disk passes through an AES-XTS encryption layer before it hits the storage controller. Without the key, the raw drive reads as uniform noise. Pull the SSD from a BitLocker-protected laptop, mount it in an external enclosure, and you get nothing.

The key material lives in the Trusted Platform Module, a dedicated cryptoprocessor soldered onto the motherboard of every Windows 11-capable PC shipped since 2016. At boot, the TPM measures the firmware, bootloader, and OS kernel before releasing the decryption key. If any component has been tampered with (a bootkit, a replaced bootloader, a BIOS modification) the measurements do not match and the TPM withholds the key. The machine either refuses to boot or falls back to the recovery key prompt.

Microsoft shipped a meaningful update to this stack in September 2025. Hardware-accelerated BitLocker, delivered in the Windows 11 24H2 cumulative update and baked into 25H2, shifts cryptographic operations to dedicated silicon on supported NVMe drives. The result is encryption that runs at near wire-speed, closing the performance gap that historically made some users turn BitLocker off on gaming rigs and engineering workstations. On a current-generation Samsung or WD NVMe drive with hardware encryption support, the overhead is now negligible, sub-3 per cent on sequential reads in Microsoft’s own benchmarks.

Windows offers two tiers of the same encryption engine. The full BitLocker management console (Control Panel > BitLocker Drive Encryption) ships with Windows 11 Pro, Enterprise, and Education. It lets you choose between TPM-only unlock, TPM plus a PIN, or TPM plus a USB startup key. It can encrypt fixed data drives separately, enforce Group Policy, and escrow recovery keys to Active Directory or Microsoft Entra ID. The second tier, called Device Encryption, is a streamlined automatic version available on every edition of Windows 11, including Home. Since the 24H2 release dropped the Modern Standby and DMA hardware prerequisites, Device Encryption now activates on a much wider pool of hardware, including older desktops and DIY builds that previously fell through the cracks.

How to check whether encryption is already on

Open Settings, navigate to Privacy & Security, and look for Device Encryption. If the toggle reads On, BitLocker has already encrypted the OS drive. The recovery key was either backed up to your Microsoft account during initial setup or, on a work machine, escrowed to your organisation’s Entra ID or Active Directory.

To confirm the detail, open System Information (msinfo32.exe) and look for the line “Device Encryption Support”. If it says “Meets prerequisites”, the hardware is ready. If it says “Reasons for failed automatic device encryption”, Secure Boot is likely disabled in the UEFI firmware, or the TPM is not detected. Both are fixable in the BIOS settings, though the fix requires a reboot and a firmware menu tour that varies by motherboard vendor.

For Windows 11 Pro users who want the full control panel: open Control Panel, search BitLocker, and select Manage BitLocker. The screen shows every drive, its encryption status, and the active key protector for the OS volume. If the OS drive shows “BitLocker off”, click Turn on BitLocker and follow the wizard. It will check the TPM, prompt you to save a recovery key (print it, save it to a file on a separate device, or back it up to a Microsoft account), and begin encrypting in the background. A modern NVMe SSD takes roughly 10 to 20 minutes for a full 512 GB drive; the system remains usable throughout.

TPM plus a PIN is the configuration you actually want

The default BitLocker setup on Windows Pro uses TPM-only authentication. The TPM releases the key automatically if the boot measurements are clean. This protects against offline attacks (someone pulls the drive and reads it on another machine) but does nothing against someone who steals the laptop while it is asleep or powered off, then boots it normally. The TPM will happily release the key because nothing has been tampered with, and Windows loads straight to the login screen. At that point the only remaining barrier is the Windows account password, which is not a cryptographic secret and can be reset or bypassed with readily available tools.

Adding a PIN changes the equation. With TPM plus PIN enabled, the pre-boot screen prompts for a 6-to-20-digit numeric code before Windows even begins loading. The TPM incorporates the PIN into the key release decision and enforces lockout after a configurable number of wrong attempts. An attacker who steals the laptop cannot reach the Windows login screen without the PIN, full stop.

Microsoft buries this setting in Group Policy rather than exposing it in the setup wizard. To enable it: open Local Group Policy Editor (gpedit.msc), navigate to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives, and enable “Require additional authentication at startup”. Set “Configure TPM startup PIN” to “Require startup PIN with TPM”. Then open an elevated Command Prompt and run manage-bde -protectors -add c: -tpmandpin. You will be prompted to set the PIN. After a reboot, the pre-boot PIN prompt appears.

The trade-off is small but real: you must enter a PIN every time the machine cold-boots. Sleep and resume are unaffected. For a desktop that never leaves the house, TPM-only is sufficient. For a laptop that travels, the PIN is the difference between a lost device and a data breach.

Windows Home users get Device Encryption, and that is fine for most people

If the laptop runs Windows 11 Home (the default on most consumer machines sold at Australian retailers), the full BitLocker management console is not available. Device Encryption is the only option, and it uses a fixed configuration: XTS-AES 128-bit, TPM-only unlock, recovery key backed up to the Microsoft account used during setup.

The key limitation is the Microsoft account dependency. If the machine was set up with a local account only, Device Encryption does not complete, the drive is encrypted with a clear key, and the yellow warning icon stays visible in File Explorer indefinitely. The fix is to sign in with a Microsoft account, at which point the recovery key is uploaded and the TPM protector is created automatically. If you are committed to local accounts, your path is to upgrade to Windows 11 Pro (a one-off licence purchase through the Microsoft Store, roughly $A179 at current pricing) and use full BitLocker instead.

What about VeraCrypt?

VeraCrypt is the open-source alternative that gets recommended in privacy-focused forums, and the recommendation is not wrong. It is cross-platform, supports hidden volumes for plausible deniability, and does not require a TPM, which makes it the only viable full-disk encryption option on pre-2016 hardware or machines where the TPM is absent or disabled. The codebase has been audited, and the project remains actively maintained.

The reasons to prefer BitLocker over VeraCrypt on a modern Windows machine are practical rather than ideological. BitLocker is integrated with the Windows boot chain, works seamlessly with Secure Boot, survives Windows feature updates without intervention, and now benefits from hardware acceleration on NVMe drives. VeraCrypt requires a separate bootloader that sits outside Secure Boot’s trust boundary, prompts for a password in a pre-Windows environment that looks and feels different, and adds roughly 15 to 30 per cent overhead on sequential reads on hardware without AES-NI offload. For the average Australian small business owner or household user, the BitLocker integration story is simply less likely to break across updates.

There is a valid use case for VeraCrypt: external drives that need to work across Windows, macOS, and Linux machines. BitLocker To Go encrypts removable drives but is read-only on macOS and inaccessible on Linux without third-party tools. VeraCrypt volumes mount on all three platforms with the same password.

What the ACSC expects Australian businesses to do

The ASD’s Information Security Manual, the controlling document for Commonwealth agency security posture, classifies full-disk encryption as an Essential Eight-adjacent control. The ISM’s system hardening guidelines require that “operating systems are hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking precedence when conflicts occur.” Microsoft’s own hardening baseline for Windows 11 requires BitLocker on all mobile devices. The two documents point in the same direction.

For businesses outside the Commonwealth orbit (most small and medium enterprises, sole traders, professional services firms) the ACSC’s 2024 guide Securing Customer Personal Data is the simpler reference. It places full-disk encryption in the “devices” control family alongside screen locks and remote wipe, and frames it as a defence against the most common real-world data-loss scenario: a laptop left in a taxi or stolen from a café. The guide does not prescribe specific software; BitLocker, being built into the operating system the business already licences, is the path of least resistance.

The Privacy Act 1988, as amended by the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022, gives the OAIC the power to seek civil penalties of up to $50 million for serious or repeated interferences with privacy. A lost unencrypted laptop containing customer personal information would almost certainly qualify. The ACSC’s position is that encryption turns a notifiable data breach into a lost-hardware insurance claim. The distinction matters.

Recovery keys: the one thing you cannot afford to get wrong

A BitLocker recovery key is a 48-digit numeric string, grouped into eight blocks of six digits, that is the bypass for every encryption protection described above. It is generated at the moment BitLocker is turned on. Lose it, and the data is gone. There is no backdoor, no Microsoft support escalation path, and no forensic recovery service that can brute-force AES-XTS in any practical timeframe.

On a machine joined to a Microsoft Entra ID or Active Directory domain, the recovery key is escrowed automatically and the IT administrator can retrieve it. On a personal machine set up with a Microsoft account, the key lives at account.microsoft.com/devices/recovery-keys. Bookmark that URL. On a machine with a local account only, the key must be saved manually, printed, or written down and stored somewhere physically separate from the laptop. A recovery key sticky-noted to the bottom of the laptop defeats the purpose.

Common triggers that will ask for the recovery key: a BIOS update, a firmware change (disabling Secure Boot, enabling legacy boot), a major Windows feature update, a hardware change (replacing the motherboard, adding or removing a TPM header), or a failed PIN entry after the lockout threshold. Each of these is a normal event, not a sign of compromise. Having the recovery key accessible from another device (a phone, a partner’s laptop, a printed copy in a filing cabinet) is the single most important part of running BitLocker.

FAQ

Does BitLocker slow down my computer?

On any SSD shipped in the last five years, the performance impact is negligible. Before the hardware-accelerated update in September 2025, BitLocker introduced roughly 5 to 10 per cent overhead on sequential reads on NVMe drives without hardware encryption support. Post-update, on supported drives, the overhead drops below 3 per cent. On older SATA SSDs and spinning hard drives, expect 8 to 15 per cent, which is still imperceptible for most workloads outside video editing and large database operations.

Is BitLocker safe from government backdoors?

There is no public evidence of a backdoor in BitLocker, and Microsoft’s commercial incentives run in the opposite direction. The company sells Azure, Microsoft 365, and Windows to governments and regulated industries globally. A deliberately weakened encryption product would be a commercial and legal liability across every jurisdiction it operates in. The encryption algorithms BitLocker uses (AES-XTS 128 and 256) are public NIST standards. The closed-source nature of Windows means independent auditors cannot verify the implementation directly, which is the strongest argument for VeraCrypt in high-assurance environments. For the threat profile of an Australian household, small business, or professional services firm, the trust model is sound.

Can I use BitLocker on a Mac?

No. BitLocker is a Windows-only feature. Macs use FileVault 2, which provides equivalent full-disk encryption using XTS-AES 128 with a user-chosen password or recovery key escrowed to iCloud. The configuration path is System Settings > Privacy & Security > FileVault. The same recovery key discipline applies.

What happens if I forget my PIN?

After a configurable number of failed attempts (the default is 4 to 20, set by Group Policy), the TPM enters lockout and BitLocker falls back to the recovery key. Enter the 48-digit recovery key at the pre-boot prompt and Windows boots normally. After sign-in, you can reset the PIN through the BitLocker control panel. This is why the recovery key must be stored somewhere accessible from another device. A phone screenshot of the key works, provided the phone itself is encrypted and backed up.

Does Windows 11 Home include BitLocker?

Windows 11 Home includes Device Encryption, which is a simplified automatic version of BitLocker. It encrypts the OS drive with XTS-AES 128-bit, uses TPM-only unlock, and backs up the recovery key to the Microsoft account. It does not support PIN authentication, does not encrypt fixed data drives separately, and provides no management console. For those features, upgrade to Windows 11 Pro.

Is BitLocker enough for business compliance?

For Australian businesses subject to the Privacy Act, the ACSC’s Essential Eight, or APRA’s CPS 234, full-disk encryption is a necessary but not sufficient control. BitLocker with TPM plus PIN satisfies the encryption requirement. Businesses also need patch management, multi-factor authentication, application control, and regular backups. BitLocker protects data at rest on a lost device. It does not protect against malware running under the logged-in user’s session, phishing, or cloud account compromise. Think of it as the lock on the front door: essential, but not the whole security posture.