Full-disk encryption protects data on a lost, stolen, or decommissioned Windows device by making the internal drive unreadable without the correct keys. Windows Device encryption provides this protection with minimal configuration, keeping files, installed applications, and system data encrypted at rest.
Device encryption is built on BitLocker technology and uses the Trusted Platform Module (TPM) to seal the disk key to the device hardware. When Secure Boot validates the boot chain, the TPM releases the key and Windows decrypts data as it is accessed, while the raw disk stays protected when offline.
Availability depends on hardware and firmware features (commonly TPM 2.0 and Secure Boot), and a recovery key is created during enablement for unlock scenarios after firmware changes, account changes, or repeated failed sign-ins. Personal devices typically store the recovery key in a Microsoft account, while managed devices may escrow the key through an organization account.
Device Encryption Support: Meets prerequisites
If the field lists Reasons for failed automatic device encryption, enable required firmware features (such as TPM and Secure Boot) or use a different encryption method.
If the page shows a Local account, device encryption may require switching to a Microsoft account so the recovery key can be stored.
On Windows 10, the equivalent path is Update & Security → Device encryption.
If Device encryption is missing, the device may not support it or the feature may be exposed under BitLocker instead.
Keep the device connected to AC power during initial encryption to avoid interruption.
Losing the recovery key can make data on the encrypted drive permanently unrecoverable.
https://account.microsoft.com/devices/recoverykey
Anyone with the recovery key can unlock the drive.