Key Points
- Device encryption in Windows 11 automatically enables BitLocker-based protection to secure data when compatible hardware and account requirements are met.
- Device encryption turns on automatically when you sign in with a Microsoft, work, or school account on a device with TPM 2.0 and Secure Boot enabled.
- Enable or disable device encryption through Settings > Privacy & Security > Device encryption, and always back up your BitLocker recovery key before making changes.
- Verify encryption support using System Information (msinfo32) or PowerShell to check ProtectionStatus for specific drives.
- Understand that device encryption is a simplified, automatic version of BitLocker, while full BitLocker in Pro and Enterprise editions offers advanced management and configuration options.
Device encryption in Windows 11 automatically enables BitLocker encryption. This feature helps protect business data in case the device gets lost or stolen.
Device encryption turns on automatically when you set up Windows 11 on a device with TPM 2.0 and Secure Boot. You must sign in with a Microsoft, school, or work account.
If you use a local account, encryption does not turn on automatically. You must enable BitLocker manually in Settings.
For a visual guide, watch How to Turn On or Off Device Encryption in Windows 11.
How to turn device encryption on or off in Windows 11
Before enabling or disabling Windows 11’s device encryption, here are some requirements:
- Trusted Platform Module (TPM) 2.0
- Unified Extensible Firmware Interface (UEFI) firmware with Secure Boot enabled
- Modern Standby support on certain device classes (optional)
- A Microsoft account (for key backup and automatic activation)
- Administrative rights to disable or reconfigure settings
Turn device encryption on or off via settings
This method is the easiest way to enable or disable device encryption, as you only need to navigate your hardware’s settings. If this setting is not available, your device may not support encryption or is using BitLocker.
Turning device encryption on:
- Open Settings (click Win + I).
- Click on the Privacy & Security tab on the left.
- Press Device Encryption on the right.
- Turn Device Encryption on.
- It should say, “Encryption is in progress.”
- Look for your BitLocker recovery key and back it up for device encryption. You’ll need it to access your Windows drive.
Turning device encryption off:
- Open Settings (press Win + I).
- Click on the Privacy & Security tab on the left.
- Press Device encryption on the right.
- Turn Device encryption off.
- Click “Turn off” to confirm.
- It should say, “Decryption is in progress. You can continue using your device.”
Ways to check device encryption support status
The easiest ways to check if your computer supports device encryption are to inspect the Microsoft System Information or use a PowerShell script.
Method 1: Check using Microsoft System Information
You can check if device encryption is supported on your device by following the steps below:
- Press Win + R, type msinfo 32, then press Enter.
- Look for “Device Encryption Support” in the System Summary window.
- “Meets prerequisites” means you can use the feature.
Method 2: Check device encryption status using PowerShell
Using the code below, you can use PowerShell to check if encryption is enabled:
| Get-CimInstance -Namespace root\cimv2\security\microsoftvolumeencryption -ClassName Win32_EncryptableVolume |
Where:
- ProtectionStatus 1 = Encrypted
- ProtectionStatus 0 = Not encrypted
If you only want to show a specific drive, use this script:
Get-CimInstance -Namespace root\cimv2\security\microsoftvolumeencryption -ClassName Win32_EncryptableVolume | Where-Object { $_.DriveLetter -eq “H:” } | Select-Object DriveLetter, ProtectionStatus, VolumeType |
Note that H: is used as an example here. Change accordingly to check the drive you need.
Why isn’t device encryption available on my device?
There are a handful of possible reasons device encryption isn’t available on your device, such as disabled or unconfigured features. You can pinpoint the reason by following the steps below:
- Open Start and type System Information. Right-click System Information, then select Run as administrator.
- Look for the value of Automatic Device Encryption Support of Device Encryption Support in the System Summary – Item’s list. The value tells you the support status of Device Encryption.
- Meets prerequisites: Device encryption is available.
- TPM is not usable: The TPM is disabled in the BIOS or UEFI, or your device doesn’t have it.
- WinRE is not configured: Your device doesn’t have Windows Recovery Environment configured.
- PCR7 binding is not supported: Either Secure Boot is disabled in the BIOS/UEFI, or you have peripherals connected to your device during boot, such as specialized network interfaces, docking stations, or an external graphic card.
How is Device Encryption different from BitLocker?
Device encryption activates automatically to protect the device. It requires an active TPM and a Microsoft account. It functions as a simplified version of BitLocker for consumer use.
BitLocker provides advanced features and configuration options. It is available in Windows 11 Pro and Enterprise editions. It supports encryption of multiple drives and centralized recovery key management. It allows you to encrypt specific drives and configure encryption settings. It also offers greater control over recovery key storage and access.
Other things to keep in mind regarding device encryption
While device encryption is a valuable feature, it has certain limitations, such as the following:
- Device encryption is not manually scriptable like BitLocker, as it’s intended to be automatic.
- You can’t forcibly disable the feature using PowerShell unless BitLocker is activated.
- If device encryption is enabled, recovery keys are automatically backed up to a Microsoft account.
- Devices joined to a local Active Directory domain will typically not use device encryption but may use BitLocker with GPOs.
- If you’re deploying new hardware, ensure BIOS/UEFI settings for TPM, Secure Boot, and Modern Standby are enabled so device encryption can be available post-deployment.
Enable Windows 11’s device encryption to protect your data
Device encryption protects your data if your computer is lost or stolen. It becomes available after you sign in. In some cases, you must turn it on or off yourself.
To manage it, open Settings. Go to Privacy & Security. Select Device encryption and use the toggle to turn it on or off.
