Windows 10 has new fancy log-in options like fingerprint, facial and iris recognition. But anybody with a bootable USB-stick might just steal your files. Unless you encrypt it with BitLocker or similar tools.
Per default, Windows secures user accounts and data with a password. You need to log-in to access your files.
But unfortunately there is no default Windows 10 encryption of your drive. This means anybody with a bootable USB-drive might gain access to your data bypassing the Windows 10 login-mechanism. Just imagine you loose your fancy Surface Pro 3 tablet or it gets stolen. Thieves or hackers might just copy your files and use your data. Even worse, they might also get access to passwords stored in Webbrowsers and login into your online-accounts.
Why Windows 10 does not advertise its great built-in BitLocker encryption when you install or upgrade? As our short tutorial shows, activating BitLocker on Windows 10 and encrypting your files is a no-brainer.
1. Turning on BitLocker encryption for a Windows 10 system disk
Right-click on your system drive symbol in Windows 10 File Explorer. Then select Turn on BitLocker.
A) If you see the following error message, then continue with step 2 – Open Windows 10 Group Policy Editor.
B) If you don´t see the error message, you can continue with step 5 – BitLocker setup: Choose unlock method for startup
2. Open Windows 10 Group Policy Editor
BitLocker relies on a so called TPM-module (Trusted Platform Module) for encrypting Windows 10 system disks. Many new mainboards come with a TPM chip which can be activated in your bios.
Alternatively you change a setting in the Windows 10 group policy editor to use BitLocker system disk encryption with passwords. Type gpedit in the Windows 10 taskbar search and select Edit group policy.
3. Windows 10 Group Policy Editor: Open advanced BitLocker-Settings
In the Windows 10 group policy editor, browse to Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives in the left panel.
Then double click on Require additional authentication at startup in the main window. Pay attention to choose the right option as there is another similar entry for (Windows Server).
4. Deactivate Trusted Platform Module check for BitLocker
Select Enabled in the upper left and activate Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive) below.
After that jump back to step 1 to activate BitLocker encryption for your Windows 10 system disk.
5. BitLocker setup: Choose unlock method for startup
At Choose how to unlock your drive at startup you can select USB drives or Passwords. USB-drives are convenient when you have them with you. But if you forget or lose them you end up with no-access to your system. Therefor we suggest to use passwords.
Don´t get confused – this password here is an additional password to unlock your encrypted Windows 10 system disk for booting. To log-in into Windows 10 you will still use your normal account password.
Choose a secure password consisting of big and small characters, numbers and special characters. Make sure not to use the similar password you use for other accounts.
6. Save BitLocker recovery key
As a measure of last resort BitLocker uses rescue keys which can be used to decrypt your system in case your password gets lost. This key is a long keychain in text-format you should save at a secure place.
You can use several of the offered settings. We recommend you to both save the BitLocker recovery key to your Microsoft account and to save it to a text file.
7. Activate Windows 10 system disk encryption
This last step activates encryption for your Windows 10 system disk. You can choose between Encrypt used disk space only and Encrypt entire drive.
Choose option two! You will not lose anything as BitLocker is encrypting your drive in the background and you will be able to use Windows 10 fully in the meanwhile.
After that it´s strongly recommended to Run the Bitlockser system check to avoid data-loss.
8. Reboot to encrypt drive
BitLocker now asks you to reboot Windows 10 to finish setup and to begin encryption.
Before Windows 10 starts booting you have to insert the BitLocker password for your system disk.
Once you are logged in, BitLocker begins encrypting your Windows 10 system disk. You can watch progress double-clicking on the BitLocker symbol in your taskbar.
9. Changing BitLocker recovery keys and passwords
In Control Panel > Sytem and Security > BitLocker Drive Encryption you can revise your choices from the BitLocker setup. You can also choose to setup BitLocker encryption for additional drives in your system.