Device encryption in Windows 11, also known as BitLocker automatic device encryption, is a crucial feature for protecting your data on the OS drive. It ensures that only authorized individuals can access the data stored on your device. Available on a wide range of Windows devices, device encryption is automatically enabled on supported devices that meet specific criteria, such as Modern Standby support.
In this guide, we will walk you through the steps to turn on or off device encryption on your Windows 11 PC. Before proceeding, ensure you are signed in as an administrator, as this is a prerequisite for managing device encryption settings.
Understanding Device Encryption in Windows 11
Device encryption in Windows 11 provides a layer of security by encrypting the OS drive using the XTS-AES 128-bit BitLocker encryption method and cipher strength by default. This feature is particularly useful for tablets and 2-in-1 devices that support Modern Standby. If your device doesn't support device encryption, you might still enable standard BitLocker encryption, provided you are running Windows 11 Pro, Enterprise, or Education.
It's important to note that if device encryption is turned off, it won't automatically enable itself in the future. You'll need to manually enable it through the Settings menu if required. Moreover, Microsoft has recently adjusted the prerequisites for enabling device encryption, making it easier to activate this feature on clean installations of Windows 11, starting with build 25905.
Prerequisites for Device Encryption
- Administrator Access: You must be signed in as an administrator to turn on or off device encryption.
- Supported Device: Device encryption is available on devices supporting Modern Standby and running any edition of Windows 11. For standard BitLocker encryption, Windows 11 Pro, Enterprise, or Education is required.
- Encryption Method: By default, Windows 11 uses the XTS-AES 128-bit BitLocker encryption. To use a stronger XTS-AES 256-bit method, you must change the BitLocker encryption settings before enabling device encryption.
How to Turn On Device Encryption in Windows 11
Enabling device encryption will enhance your device's security, ensuring that only authorized users can access the data on your OS drive.
- Open Settings
Open the Settings app by pressing Win+I on your keyboard or via the Start menu.
- Navigate to Device encryption
Click on Privacy & security on the left side, then click on Device encryption on the right side.
Note: The Device encryption setting will not be available if you are not signed in as an administrator or if your PC doesn't support device encryption.
- Turn on Device encryption
Toggle the switch to On to enable device encryption.
-
Wait for Encryption to Complete
You will see “Encryption is in progress” until the process is finished. This may take a while, so do not turn off your PC until encryption is completed. -
Close Settings
Once encryption is finished, you can close the Settings app. -
Backup BitLocker Recovery Key
It is highly recommended to back up the BitLocker recovery key used for device encryption. You will need this key if you are ever prompted for it to access your Windows drive.
How to Turn Off Device Encryption in Windows 11
Disabling device encryption will remove the encryption from your OS drive, allowing anyone with access to your device to read the data stored on it.
- Disable Device encryption
Open the Settings app by pressing Win+I on your keyboard. Click on Privacy & security on the left side, then disable Device encryption on the right side.
Note: The Device encryption setting will not be available if you are not signed in as an administrator or if your PC doesn't support device encryption.
-
Wait for Decryption to Complete
You will see “Decryption is in progress” until the process is finished. This may take a while, so do not turn off your PC until decryption is completed.
- Close Settings
Once decryption is finished, you can close the Settings app.
Related: How to Enable or Disable File Encryption in Windows (NTFS EFS)
You may find that the “Encrypt contents to secure data” option is grayed out on your PC. In our other guide, we show you how to enable or disable Windows File Encryption via NTFS EFS (Encrypting File System) on the filesystem level for all users.
Related: How to Encrypt a Folder or File with Encrypting File System (EFS)
The Encrypting File System (EFS) is a Windows file encryption feature of the NTFS filesystem that you can utilize to encrypt a folder or file. It allows a user to make use of advanced yet standardized encryption algorithms to ensure others can't access their data without a decryption key. In our other guide, we show you how to encrypt a folder in Windows via its Encrypting File System.
Related: How to Password Protect a Folder
Protecting your sensitive data in Windows 11 and Windows 10 is crucial, especially if you're sharing your PC with others or simply want to keep certain information confidential. While Windows 11 and Windows 10 don't come with a dedicated feature for password-protecting individual folders, there are effective ways to secure your data. In our other guide, We show you how to password-protect a folder in Windows using different methods with built-in and third-party tools.
Related: How to Use OneDrive Personal Vault to Passwort-Protect Your Files
OneDrive Personal Vault adds an additional layer of security to your most important files. When users save a document or photo to their OneDrive vault, they can only access it via an additional method of authentication. In our other guide, we show you how to set up a OneDrive Personal Vault on Windows 11 or Windows 10.
FAQ – Frequently Asked Questions About Device Encryption in Windows 11
What should I do if device encryption is not available on my PC?
If device encryption is not available on your PC, first ensure you are logged in as an administrator and that your PC meets the hardware requirements such as Modern Standby support. If your device does not support device encryption, you can still use BitLocker if you are using Windows 11 Pro, Enterprise, or Education editions. Access BitLocker settings via Control Panel under “System and Security.”
Can I use device encryption on Windows 11 Home edition?
Yes, device encryption is available for Windows 11 Home edition but requires that your device supports Modern Standby and that you are logged in with a Microsoft account. This feature is automatically enabled if these conditions are met. Check your device's encryption status in the “About” section under Settings > System.
How can I check if my device supports device encryption?
To check if your device supports device encryption, navigate to Settings > System > About and look for “Device encryption support” listed under Windows specifications. If it states that your device meets the criteria for device encryption, you can enable this feature through the Settings app.
Can I switch from device encryption to BitLocker encryption?
Yes, switching from device encryption to BitLocker encryption is possible and recommended for advanced security options. This switch is available in the Windows 11 Pro, Enterprise, or Education editions. You can manage this process through the BitLocker settings in the Control Panel, where you can choose different encryption methods and manage other advanced settings.
Can device encryption be managed through Group Policy or PowerShell?
Device encryption primarily targets consumer devices and does not offer direct Group Policy management; however, BitLocker, which is a more advanced encryption solution available on higher Windows editions, can be managed through Group Policy and PowerShell scripts. Administrators can use these tools to enforce encryption policies across multiple devices in an organization.
What is the difference between device encryption and BitLocker?
Device encryption is a streamlined, less configurable version of BitLocker designed primarily for consumer-level devices. It automatically encrypts the system drive with limited user interaction. In contrast, BitLocker offers comprehensive encryption solutions that include both system and removable drives, provides multiple authentication mechanisms, and supports management through Group Policy.
Does closing the Settings app interrupt the encryption or decryption processes?
Closing the Settings app does not interrupt the encryption or decryption processes. These processes are handled by the system and continue to run in the background until completed. You can safely close the Settings app and use your PC while these operations are ongoing.
What happens to the data when(device encryption is turned off?
Disabling device encryption will initiate a decryption process, which reverses the encryption and makes the data stored on your drive accessible to anyone with access to your PC. This process can take some time, depending on your system's performance and the amount of data being decrypted.
Is encryption still active after upgrading from Windows 10 to Windows 11?
Yes, if you had encryption enabled in Windows 10, it remains active after upgrading to Windows 11. Windows maintains the encryption settings to ensure data protection continuity across system upgrades.
How do I find my BitLocker recovery key?
Your BitLocker recovery key may be stored in several places based on your choice during encryption setup: saved to your Microsoft account, printed out, or stored on a USB flash drive. You can retrieve it from your Microsoft account online by visiting the Microsoft website and navigating to the device management section.
Can I enable device encryption without a Microsoft account?
While device encryption typically requires a Microsoft account, you can enable standard BitLocker drive encryption without one if your edition of Windows supports it (Pro, Enterprise, or Education). This option provides similar protective features using a local account.
How long does it typically take to encrypt a drive with device encryption?
The duration of the encryption process depends largely on the size of the drive and the specifications of your computer. On average, it may take a few hours to encrypt a typical internal hard drive. You can use your computer during this time, but you might experience slower performance.
What cipher strength is used by default for device encryption in Windows 11?
Windows 11 uses the XTS-AES 128-bit encryption method by default for device encryption. This offers a balance between robust security and performance, suitable for general consumer use.
Should I back up my data before enabling device encryption?
It is highly recommended to back up your data before initiating encryption. While the encryption process itself does not typically result in data loss, backing up your data ensures that you have a recovery option in the event of an unexpected issue during the encryption process.
How do I manually enable device encryption in Windows 11?
To manually enable device encryption, navigate to Settings > Privacy & Security > Device encryption. If your device meets the hardware requirements and you're signed in as an administrator, you can toggle the option to ‘On'. If the toggle is missing or disabled, check that you meet all requirements or consider enabling BitLocker if your Windows edition permits.