How to manage BitLocker and why should you use it?

Arthur Harrison

Feb 17, 2022

10 min read

Securing data is more important than ever before. The information you hold is often more valuable than the device itself and can cause massive loss to you as an individual or the organization to which the device belongs. It goes without saying that protecting it in every way possible is a must. There are many programs to help you protect from online attacks like hacking but, BitLocker is one of the few ways to protect your data in offline attack situations.

Manage BitLocker with Hexnode UEM

What exactly is the BitLocker?

If a person manages to steal your hard drive, they could gain access to all the sensitive data in it, even if it is password protected. With BitLocker, you can avoid such scenarios. BitLocker device encryption protects all the data by encrypting the entire hard drive. As a result, no one can access the data without an encryption key. The key gets generated during disk encryption. Needless to say, this key must be kept safe.

BitLocker keeps the data safe from thefts

BitLocker is available on:

  • Ultimate and Enterprise editions of Windows Vista and Windows 7
  • Pro and Enterprise editions of Windows 8 and 8.1
  • Pro, Enterprise, and Education editions of Windows 10 and Windows 11

Featured resource

Hexnode Windows Management Solution

Get started with Hexnode’s Windows Management solution to improve security, increase productivity, save time and overhead costs of managing your corporate devices.

Download the datasheet

How does it work?

The way BitLocker accomplishes this is brilliant. The solution is to encrypt the disk and store the key in a separate physical location other than the disk itself.

Let me elaborate on that. Most modern motherboards come with a chip called TPM (Trusted Platform Module) soldered onto them. The TPM stores the encryption key. Every time the device boots, the TPM is accessed for the key to decrypt information. Since the key is physically separate from the main memory, even if someone manages to steal the drive, they cannot access its sensitive content. The TPM is made to work only with that motherboard.

If your motherboard doesn’t come with a TPM, you can change some settings to use a password every time the system boots up. However, that defeats the whole purpose of encryption as the password is also stored in the disk somewhere. Alternatively, you could go for the option to use a USB stick as the key. The encryption key is stored in the USB drive of choice which has to be connected to the PC every time the system boots.

Trustworthiness of these encryptions

You might be wondering, it is just encryption, a similar concept that had been in use since world wars and they were proven to be crackable. What makes this any special?
Well, no algorithm is indeed 100% foolproof but, algorithms used in BitLocker are much smarter. So far, the only known way to crack the encryption algorithms in BitLocker is to brute force your way into it. I’ll explain in a bit why that is futile. In the case of BitLocker in Windows 10, you typically get to choose between 4 options of encryptions and cipher strengths.

  • AES-CBC 128-bit
  • AES-CBC 256-bit
  • XTS-AES 128-bit (default)
  • XTS-AES 256-bi

Which option to choose?

AES stands for Advanced Encryption Standard, which had been developed initially for protecting/ciphering the US government classified information. It was designed to replace DES (Data Encryption Standard) because it became vulnerable to brute force attacks due to the advances in computational power over the years. Therefore, AES is especially immune to these types of attacks.

The attacker or thief might not be able to make sense of the data. However, they can still manipulate it. This can be annoying and most importantly devastating, especially when the user doesn’t realize they got attacked. For example, an attacker might decide to change a few bits of data on your hard drive. This could affect the programs you might want to run or even change a few characters in the spreadsheet you’ve made. The attacker will have no idea what the change accounts for and what’s terrifying is that, neither will you. Since the changes can be so small, you probably won’t be aware of the data tampering.

This is where the difference between XTS and CBC comes into the picture. CBC allows for single-bit changes, whereas in XTS you can only change 16 bits at a time. This makes the changes significant, visible, and easy to detect. Microsoft recommends using CBC for non-fixed/removable drives and XTS for fixed and OS drives.

There are more technical differences between CBC and XTS related to how they interact with the logic gates. But for our understanding, this should be enough. In Windows 8, only CBC algorithm is available but you get to select whether you want to use a diffuser. Using a diffuser eliminates single-bit changes to some extent.

It takes literal supereons to crack.

Now, what is the deal with 128 bit and 256-bit encryption keys? To put it simply, the bigger, the better. But you should still be good with a 128-bit key for the most part because, even with the right quantum computer and the best cracking algorithm available today, it will take about 2.61×10^12 years to try every single combination possible. For AES-256, it will be 1.38×10^32 years. If those numbers don’t mean anything to you, the universe is just 1.3×10^10 years old. Take a minute and try to wrap your head around that.

Impossible to crack without the encryption key

Organizations love to use BitLocker

I think we established what BitLocker can do. How can this be useful for individuals, especially from an organizational standpoint?
Well, BitLocker is helpful in

  • Protecting confidential data:

    More often than not, employees tend to hold a lot of company-specific sensitive information on their own or the devices the organization provides them. They could be phone numbers, emails, passwords, or even the company’s trade secrets. Though the device uses a password, all the information is still available in the drive, making it the only thing between the hacker and your data. BitLocker on the other hand encrypts all the data in your hard drive, essentially making data illegible without the key.

  • Enabling BYOD and remote work:

    There had been drastic changes in the way employees work. We see it becoming increasingly digital and remote, especially in the last couple of years. Organizations are also letting employees use the devices of their comfort. This is all good until we factor in the security risks. BitLocker encryption helps eliminate these risks, leading to happy and productive employees.
    Regular people are susceptible to data thefts as well and it can be very damaging when your passwords, bank info, etc are at risk. Hence, everyone should encrypt their data.

Regular people are susceptible to data thefts as well and it can be very damaging when your passwords, bank info, etc are at risk. Hence, everyone should encrypt their data.

How to use it?

If the device is a part of an organizational network, only the admin will have access to these changes. Continue with these instructions if you have full administrator access over the device.

Changes to BitLocker configurations on the Operating system and fixed drives require admin access. Standard users can turn on or off the BitLocker for removable drives unless the admin disables the access.

  1. Check for TPM

    Press win + R and type “tpm.msc”. You will find the TPM manufacturer information and the status of it. It is recommended to go for hardware-based encryption if the TPM module is present in your device.
    If the status is not “ready for use” then you need to enable TPM. Check out this document by Microsoft on how to enable TPM. Else, it is already enabled and you can move to step 2.
    In case you don’t see any of those, TPM doesn’t exist in your device so opt for software-based encryption.

  2. Configure BitLocker

    Before enabling BitLocker, you need to disable BitLocker if required drives are already encrypted and configure a few settings like encryption type, cipher strength, recovery key storage location, etc.
    To disable BitLocker go to step 4.
    Open group policy editor (press win+R and type “gpedit.msc”)/ Computer Configuration/ Administrative Templates/ Windows Components/ BitLocker Device Encryption and make the necessary changes
    If TPM is not there in your device

    1. Go to BitLocker Device Encryption/ Operating system drives/Require additional authentication at the startup
    2. Enable it
    3. Check the Allow bit locker without a compatible TPM, later while enabling BitLocker you have to choose between giving a password or using a USB to unlock your device.

    This process can be simplified to a great extent if the device is managed by your organization using a capable UEM like Hexnode. From Hexnode’s console you can

    • Prompt the user for device encryption
    • Select the required encryption method for operating, fixed and removable drives separately.
    • Configure the recovery options for each drive.
    • Configure start-up authentication and the minimum password length for an additional layer of security.

    All of this can be done just with a single policy. Remotely associate the policy to multiple devices in bulk, which in process, saves a lot of time and effort for the IT team.

  3. Enable BitLocker

    Go to Control panel > Systems and Security > BitLocker Device Encryption > Turn BitLocker on.
    You may get a few prompts. Answer them according to your needs and the encryption process begins.
    After all the prompts hit Continue and then Restart now. Even after the restart, it might still be in the process of encrypting the drive. It is advisable to keep the device plugged in as it takes a bit of time.

  4. Disable Bitlocker

    This is an optional step, useful when you want to change the already existing configurations.
    Go to Control panel > Systems and Security > BitLocker Device Encryption > Turn BitLocker off.
    Make sure you have the administrator credentials to remove Bitlocker.
    Go back to step 2 to continue making changes in the configuration.


BitLocker is one of the most useful features that benefits any Windows user. Encrypting the whole drive makes all the physical attacks like stealing useless. Since it is impossible for the attacker to brute force their way through the encryption, there’s no reason for the users to not encrypt their drives, especially if they contain sensitive information. BitLocker is easy to set up especially with a UEM like Hexnode and costs almost nothing compared to the risks. Organizations love BitLocker for this exact reason.


Arthur Harrison

Your friendly neighbourhood blogger

Share your thoughts