Steps to Enabling BitLocker


  • Windows 7 Ultimate, Windows 7 Enterprise, or Windows Server 2008 R2 Operating System
  • A TPM microchip, version 1.2, turned on for use with BitLocker on operating system drives is recommended for validation of early boot components and storage of BitLocker master key.
  • A USB flash drive if the computer does not have TPM
  • A BIOS that supports USB devices during startup
  • Administrative credentials


1.    Open the Start menu and select Control Panel. Near the top right by View by, select from the drop down menu Large items or Small items. Click on BitLocker Drive Encryption.


2.    Next to the operating system drive, click Turn on BitLocker. BitLocker will scan your computer to make sure that it meets the BitLocker system requirements. If your computer meets the requirements, BitLocker will inform you of the next steps that need to be taken to turn on BitLocker, such as drive preparation, turning on the TPM, and encrypting the drive.


a.    If you have a single partition for your operating system drive, BitLocker will prepare the drive by shrinking the operating system drive and creating a new system partition to use for system files that are required to start or recover the operating system and that cannot be encrypted. This drive will not have a drive letter to help prevent the storing of data files on this drive inadvertently. After the drive is prepared, the computer must be restarted.

b.    If your TPM is not initialized, the BitLocker setup wizard will instruct you to remove any CDs, DVDs, or USB drives from the computer and restart the computer to begin the process of turning on the TPM. You will either be prompted to enable the TPM before the operating system boots or in some cases you will need to navigate to the BIOS and enable the TPM manually. This behavior depends on the BIOS of the computer.

i. You can reach the BIOS of your computer by restarting your computer. When the computer is booting up, press the F8 key and you’ll be taken to the BIOS screen.
ii. Look for TPM configuration and enable TPM.
iii. After you confirm that you want the TPM enabled, the operating system will start and the Initializing the TPM security hardware progress indicator will be displayed.

c.    If your computer does not have TPM, you can still use BitLocker, but you will be using the Startup key only authentication method. All of the required encryption key information is stored on a USB flash drive, which the user must insert into the computer during startup. The key stored on the USB flash drive unlocks the computer. To use this method, your computer must support the reading of USB devices in the preboot environment and you must enable this authentication method. The next steps will show you how to do so.

i. Open the Start menu, type in gpedit.msc in the search line and press Enter. (This file is located at C:WindowsSystem32gpedit.msc.)
ii. In the left pane, expand Computer Configuration, Administrative Templates, Windows Components, BitLocker Drive Encryption, and Operating System Drives.

iii. In the right pane, right click on Require additional authentication at startup and click Edit.
iv. If you do have TPM and wish to use it, move on to the next step. Otherwise, select the radio button for Enabled. Then under the Options section, check the box for Allow Bitlocker without a compatible TPM. Then click OK.


v. Close the Local Group Policy Editor window.

3.    Plug in the USB flash drive that you want the recovery key saved to. You will still be able to use the  USB normally, but do not remove the BitLocker startup key file. You will need to plug in this USB every time you start up your computer.

4.    Restart the BitLocker setup wizard. It will prompt you to choose how to store the recovery key. Select Save the recovery key to a USB flash drive. It is recommended you also do the other two options and save the key file somewhere safe in case you lose or damage to USB flash drive with the startup key.

5.    Notify your IT manager. They will keep a copy of your recovery key in the event that you lose your key.

6.    Click  Save, then Next.

7.    Check the Run BitLocker system check box, then click Continue.

8.    You will need to restart your computer. Close and save all documents before restarting and click Restart now.

One of the items that BitLocker checks is the configuration of the system partition. BitLocker requires a minimum system partition size of 100 MB, and the Windows Recovery Environment requires 200 MB. When the operating system is installed, the system partition is automatically created by the setup process with a default size of 300 MB. However, this default partition size can be changed by computer manufacturers or system administrators when they install the operating system. If the system partition is exactly 100 MB, BitLocker setup assumes that you have a Windows Recovery DVD for use with your computer and the system check is completed without any errors. However, if you have a system partition size between 101 MB and 299 MB, the following error message will be displayed: “You will no longer be able to use Windows Recovery Environment unless it is manually enabled and moved to the system drive.” If you have a Windows 7 DVD that contains the Windows Recovery Environment or you have another system recovery process in place, you may disregard this message and continue with BitLocker setup. Otherwise, you should check your system partition and verify that you have at least 200 MB of free space on your system partition so that the Windows Recovery Environment can be retained on the system drive along with the BitLocker Recovery Environment and other files that BitLocker requires to unlock the operating system drive. For more information about the Windows Recovery Environment, see Windows Recovery Environment.

9.    If your computer is ready from encryption, when the computer restarts, BitLocker will start encrypting the drive. You can see the encryption status by clicking on the BitLocker icon in the taskbar on the far right.

10.    You can now manage BitLocker settings. Open the Start menu and select Computer.  Right click on your encrypted drive, and select Manage BitLocker.  (This option is also available in the Control Panel.) You will get the following options in the image below.


11.    You have now finished enabling BitLocker. From now on, you will be required to plug in the USB with the startup key in order to unlock and startup your machine.

If you have questions, contact us.