Article: What is device encryption, and should I use it?

Question

Technical Difficulty: Advanced

What is device encryption?

Device encryption is a feature that exists in Windows 10 & 11. It is available on PCs that are connected to the internet and signed into a Microsoft Account. Your device needs to have a TPM and Secure Boot enabled.

Device encryption is available in Windows 10 & 11 Home, while Bitlocker isn't available in the Home edition.

The documentation from Microsoft can be found here: Device encryption in Windows (microsoft.com)

Device encryption is intended to protect your data in case your device gets stolen. It verifies that the security of the device is intact, and only lets you access your files when the device is turned on and logged in to an account.

If you try to access the files from another operating system, device encryption will not unlock the drive.

Additionally, if you change specific options in the systems UEFI, such as Secure Boot or TPM options, device encryption will lock down the system and require you to enter your bitlocker recovery key in order to access your files.

Advantages of device encryption

The obvious advantage is that someone who steals your device still can't access your personal files, as he needs your account password to access them.

Additionally, device encryption is more streamlined and faster than other full-disk-encryption methods since it doesn't require any user interaction on bootup.

Disadvantages of device encryption

There are also multiple disadvantages of device encryption. Firstly, the files on the hard drive get decrypted when you boot up your device and are accessible while the logon screen is shown. This generally isn't a problem, however, with specialized equipment it is possible to get around the encryption by extracting the decryption key from the systems RAM during bootup. If you have critical data you want to protect, you should use Bitlocker with additional verification on startup as described here.

If you lose your Bitlocker recovery key, you will not be able to access your files in case device encryption locks the drive. You can find your recovery keys like this: Finding your BitLocker recovery key in Windows (microsoft.com)

Enabling and disabling device encryption

To enable or disable device encryption in Windows 10, go to Settings > Update & Security > Device Encryption.

To enable or disable device encryption in Windows 11, go to Settings > Privacy & Security > Device Encryption.

If the option isn't visible, this means your device doesn't support the feature.

NOTE: If you sign into your Microsoft account during first time setup, and your device supports device encryption, it will automatically get enabled. The recovery key will get stored in your Microsoft account. If you find the feature enabled, I would highly suggest you check if the key is stored in your Microsoft account.

If it's not, disabling and the reenabling device encryption should store it in your account.

What to do if BitLocker locks your device?

I have information on this in a separate article here: What to do if BitLocker locks your PC - Microsoft Community

Conclusion

Device encryption is a feature intended to protect your data. It should be enabled, but you should use it with caution. You should make sure you have your recovery key in case you need it, and you should have a backup of your files in case you lose access to the device.

If you are planning to make changes to your systems UEFI settings, make sure you have your recovery key or disable device encryption before changing the options.