Try this first
- 1Per laptop: press Windows key, type 'Manage BitLocker'. See 'BitLocker on' for C: drive? You are done.
- 2For central check: Microsoft Intune > Devices > Endpoint security > Disk encryption. Or Entra > Devices > BitLocker keys.
- 3Not on? Click 'Turn on BitLocker'. Generates a recovery key, automatically stored in Entra if the laptop is joined there.
- 4Disk gets noticeably slower during initial encryption. Do not plan this on a busy workday.
- 5For laptops without TPM (older models): this is a real security downgrade. Without TPM you have to enable 'Allow BitLocker without compatible TPM' via Group Policy or Intune, and BitLocker then requires either a USB startup key or a passphrase at every boot. Workable, but the pre-boot factor is mandatory and you lose TPM protection against offline brute-force. For production hardware, replace with a device that has TPM 2.0.
When to bring us in
Whole fleet to BitLocker at once via Intune or GPO? Do not do it solo. One config error and you lock users out. We roll this out in phases with recovery key backup.
See also
- I think I clicked a phishing linkNo shame, happens to everyone. The next fifteen minutes matter.
- A colleague's account is acting strangelySending mail in their name, rules hiding folders, unusual sign-ins. Suspicious.
- Lost the MFA app: new phone, no backup codesClassic problem after a phone upgrade. You are not the first to be locked out.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.