How to encrypt a disk in Windows using device encryption

Protecting data from unauthorized access is critical in Windows environments. Device encryption secures the entire disk, including files, system data, and applications. This prevents access to sensitive information if the device is stolen or compromised.

Trusted Platform Module (TPM) and Secure Boot provide hardware-level protection to enforce reliable encryption. TPM safeguards cryptographic keys, while Secure Boot ensures only trusted software can load during startup. These mechanisms block tampering attempts and help protect the encryption key from unauthorized use.

Full disk encryption operates silently in the background. The system generates a unique recovery key that must be stored securely for emergencies. Ensuring the device supports TPM and Secure Boot, along with backing up the recovery key, is essential for a dependable encryption setup.

1. Verify that your device meets encryption requirements by checking Device Encryption Support in System Information.
2. Sign in to your Windows device using a Microsoft account.
3. Open Settings from the Start menu.
4. Navigate to Update & Security.
5. Select Device encryption from the left-side menu.

   If the Device encryption option is not visible, your device may lack necessary hardware support, such as TPM 2.0 or Secure Boot.

6. Click Turn on if the option is available.
7. Wait for the system to generate a recovery key.

   Store the recovery key securely by backing it up to your Microsoft account, a USB drive, or a file.

8. Back up the recovery key by choosing one of the available options.
9. Allow encryption to run automatically in the background.
10. Verify encryption status by checking the Device encryption settings.

    Device Encryption Support: Meets prerequisites

    Look for the Device Encryption Support field to confirm that your device meets the prerequisites.