Enable BitLocker encryption on a Windows 10 device

As an administrator, you can specify how your Microsoft Windows 10 devices and drives are encrypted.

Configure device encryption for Windows 10 devices

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices.
  3. On the left,  click Settingsand thenWindows settings.
  4. Click BitLocker settings.
  5. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  6. Under Device encryption, select Enabled from the list of items.
  7. Configure the options below.
  8. Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit's settings.

To configure general settings, see Recommended settings for most computers

Device encryption

  • Encryption option for system drives–Specify the encryption method and the cipher strength of the key for operating system drives.
  • Additional startup authentication–Specify whether BitLocker requires additional authentication each time the computer starts and specify if you’re using a Trusted Platform Module (TPM).
  • Allow BitLocker without a compatible TPM–Either a password or a USB drive is required for startup.
  • Set TPM startup without a PIN or key–Require TPM as startup authentication instead of a PIN or key.
  • TPM startup PIN–Require a 6-digit to 20-digit PIN to be entered before startup. You can also configure the minimum PIN length.
  • TPM startup key–If a TPM startup key is used, information to encrypt the drive is stored on a USB drive with a USB key. When this USB key is inserted into the device, access to the drive is authenticated and the drive is accessible.
  • TPM startup key and PIN–Allows you to require both a startup key and a PIN.
  • Pre-boot recovery options–Configure the recovery message or replace the existing URL displayed on the pre-boot key recovery screen when the operating system drive is locked. You can also use the default recovery message or URL or elect to use a custom message or custom URL.
  • System drives recovery options–Set options for users to recover data from operating system drives protected by BitLocker.
  • Allow data recovery agent–Data recovery agents are individuals whose public key infrastructure (PKI) certificates have been used to create a BitLocker key protector. These individuals can use their PKI credentials to unlock drives protected by BitLocker.
  • 48-digit recovery password–Option for users to generate a 48-digit recovery password.
  • 256-bit recovery key–Option for users to generate a 256-bit recovery key.
  • Hide recovery options from BitLocker setup wizard–Prevent users from specifying recovery options when they turn on BitLocker.
  • Save BitLocker recovery information to Active Directory Domain Services–Choose which BitLocker recovery information to store in Active Directory. You can select either the Backup recovery password and key package or the Backup recovery password only.
  • Don't enable BitLocker until recovery information is stored in Active Directory–Prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to Active Directory succeeds.

Fixed drives encryption

  • Fixed drives encryption–Require fixed drives to be encrypted before write access is granted.
  • Encryption for fixed drives–Specify the encryption method and key cipher strength for fixed drives.
  • Fixed drives recovery options–Set options for users to recover data from fixed drives protected by BitLocker.
  • Allow data recovery agent–Data recovery agents are individuals whose public key infrastructure (PKI) certificates have been used to create a BitLocker key protector. These individuals can use their PKI credentials to unlock drives protected by BitLocker.
  • 48-digit recovery password–Option for users to generate a 48-digit recovery password.
  • 256-bit recovery key–Option for users to generate a 256-bit recovery key.
  • Hide recovery options from BitLocker setup wizard–Prevent users from specifying recovery options when they turn on BitLocker.
  • Save BitLocker recovery information to Active Directory Domain Services–Choose which BitLocker recovery information to store in Active Directory. You can select either the Backup recovery password and key package or the Backup recovery password only.
  • Don't enable BitLocker until recovery information is stored in Active Directory–Prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to Active Directory succeeds.

Removable drives encryption

  • Removable drives encryption–Require all removable drives to be encrypted before write access is given.
  • Encryption for removable drives–Configure the encryption algorithm and key cipher strength for removable drives. Use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in devices not running Windows 10, version 1511.
  • Deny write access to devices configured in another organization–Only drives with identification fields matching the computer's identification fields are granted write access. These fields are defined by your organization’s group policy.

Note: Changes may take up to 24 hours to propagate to all users.

For details on how to enable device encryption, see your Microsoft documentation.

Disable device encryption for Windows 10 devices

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Devices.
  3. On the left,  click Settingsand thenWindows settings.
  4. Click BitLocker settings.
  5. If you want to disable a profile for only some users, select an organizational unit from the list on the left. Otherwise, it applies to everyone.
  6. Under Device encryption, select Disabled from the list of items.
  7. Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit's settings.

Use “Not configured” for device encryption of Windows 10 devices

Selecting Not configured under Device encryption removes the enforcement of the BitLocker policy, reverting to the setting it had previously. If the user has previously encrypted the device, no changes are made to the device or data on the device.

Recommended settings for most devices

BitLocker encryption for Windows devices provides you with granular control of encryption settings on a device. However, the most common BitLocker settings for Windows are:

  • Device encryption
  • Additional startup authentication
  • Pre-boot recovery options
  • Fixed drives encryption
  • Fixed drives recovery options
  • Removable drives encryption


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue