Device encryption in Windows 11 automatically enables BitLocker encryption. This feature helps protect computer data in case the device gets lost or stolen.
Device encryption is automatically turned on once you sign in or set up with a Microsoft, school, or work account. However, encryption isn’t enabled if you use a local account, forcing you to activate or deactivate it manually.
How to turn device encryption on or off in Windows 11
Before enabling or disabling Windows 11’s device encryption, here are some requirements:
- Trusted Platform Module (TPM) 2.0
- Unified Extensible Firmware Interface (UEFI) firmware with Secure Boot enabled
- Modern Standby support on certain device classes (optional)
- A Microsoft account (for key backup and automatic activation)
- Administrative rights to disable or reconfigure settings
Turn device encryption on or off via settings
This method is the easiest way to enable or disable device encryption, as you only need to navigate your hardware’s settings. If this setting is not available, your device may not support encryption or is using BitLocker.
Turning device encryption on:
- Open Settings (click Win + I).
- Click on the Privacy & Security tab on the left.
- Press Device Encryption on the right.
- Turn Device Encryption on.
- It should say, “Encryption is in progress.”
- Look for your BitLocker recovery key and back it up for device encryption. You’ll need it to access your Windows drive.
Turning device encryption off:
- Open Settings (press Win + I).
- Click on the Privacy & Security tab on the left.
- Press Device encryption on the right.
- Turn Device encryption off.
- Click “Turn off” to confirm.
- It should say, “Decryption is in progress. You can continue using your device.”
Ways to check device encryption support status
The easiest ways to check if your computer supports device encryption are to inspect the Microsoft System Information or use a PowerShell script.
Method 1: Check using Microsoft System Information
You can check if device encryption is supported on your device by following the steps below:
- Press Win + R, type msinfo 32, then press Enter.
- Look for “Device Encryption Support” in the System Summary window.
- “Meets prerequisites” means you can use the feature.
Method 2: Check device encryption status using PowerShell
Using the code below, you can use PowerShell to check if encryption is enabled:
| Get-CimInstance -Namespace root\cimv2\security\microsoftvolumeencryption -ClassName Win32_EncryptableVolume |
Where:
- ProtectionStatus 1 = Encrypted
- ProtectionStatus 0 = Not encrypted
If you only want to show a specific drive, use this script:
|
Get-CimInstance -Namespace root\cimv2\security\microsoftvolumeencryption -ClassName Win32_EncryptableVolume | Where-Object { $_.DriveLetter -eq “H:” } | Select-Object DriveLetter, ProtectionStatus, VolumeType |
Note that H: is used as an example here. Change accordingly to check the drive you need.
Why isn’t device encryption available on my device?
There are a handful of possible reasons device encryption isn’t available on your device, such as disabled or unconfigured features. You can pinpoint the reason by following the steps below:
- Open Start and type System Information. Right-click System Information, then select Run as administrator.
- Look for the value of Automatic Device Encryption Support of Device Encryption Support in the System Summary – Item’s list. The value tells you the support status of Device Encryption.
-
- Meets prerequisites: Device encryption is available.
- TPM is not usable: The TPM is disabled in the BIOS or UEFI, or your device doesn’t have it.
- WinRE is not configured: Your device doesn’t have Windows Recovery Environment configured.
- PCR7 binding is not supported: Either Secure Boot is disabled in the BIOS/UEFI, or you have peripherals connected to your device during boot, such as specialized network interfaces, docking stations, or an external graphic card.
How is Device Encryption different from BitLocker?
The difference between device encryption and BitLocker is that the former is enabled automatically to protect the device. It also requires an active TPM and a Microsoft account. Essentially, device encryption is consumer BitLocker using Microsoft accounts.
Meanwhile, BitLocker is more robust and customizable. It allows you to encrypt specific drives, configure encryption options, and flexibly manage recovery keys.
Other things to keep in mind regarding device encryption
While device encryption is a valuable feature, it has certain limitations, such as the following:
- Device encryption is not manually scriptable like BitLocker, as it’s intended to be automatic.
- You can’t forcibly disable the feature using PowerShell unless BitLocker is activated.
- If device encryption is enabled, recovery keys are automatically backed up to a Microsoft account.
- Devices joined to a local Active Directory domain will typically not use device encryption but may use BitLocker with GPOs.
- If you’re deploying new hardware, ensure BIOS/UEFI settings for TPM, Secure Boot, and Modern Standby are enabled so device encryption can be available post-deployment.
Enable Windows 11’s device encryption to protect your data
Device encryption is a feature that helps users protect their computer’s data in case the device gets lost. The feature is available once you sign in, but specific scenarios require you to manually enable or disable device encryption.
To do so, check the feature’s support status, navigate your device’s settings, and click the Privacy & Security tab. You should spot the button that enables/disables device encryption from there.
