Full-disk encryption protects data on a lost, stolen, or decommissioned Windows device by making the internal drive unreadable without the correct keys. Windows Device encryption provides this protection with minimal configuration, keeping files, installed applications, and system data encrypted at rest.
Device encryption is built on BitLocker technology and uses the Trusted Platform Module (TPM) to seal the disk key to the device hardware. When Secure Boot validates the boot chain, the TPM releases the key and Windows decrypts data as it is accessed, while the raw disk stays protected when offline.
Availability depends on hardware and firmware features (commonly TPM 2.0 and Secure Boot), and a recovery key is created during enablement for unlock scenarios after firmware changes, account changes, or repeated failed sign-ins. Personal devices typically store the recovery key in a Microsoft account, while managed devices may escrow the key through an organization account.
Steps to enable device encryption in Windows:
- Open Start search and enter System Information.
- Open System Information from the search results.
- Confirm the Device Encryption Support field shows Meets prerequisites.
Device Encryption Support: Meets prerequisites
If the field lists Reasons for failed automatic device encryption, enable required firmware features (such as TPM and Secure Boot) or use a different encryption method.
- Open Settings.
- Confirm the sign-in shows a Microsoft account under Accounts → Your info.
If the page shows a Local account, device encryption may require switching to a Microsoft account so the recovery key can be stored.
- Open Privacy & security.
On Windows 10, the equivalent path is Update & Security → Device encryption.
- Open Device encryption.
If Device encryption is missing, the device may not support it or the feature may be exposed under BitLocker instead.
- Select Turn on under Device encryption.
Keep the device connected to AC power during initial encryption to avoid interruption.
Losing the recovery key can make data on the encrypted drive permanently unrecoverable.
- Restart Windows if prompted.
- Confirm the recovery key is listed in the Microsoft account portal.
https://account.microsoft.com/devices/recoverykey
Anyone with the recovery key can unlock the drive.
- Verify the Device encryption status shows On.
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.
