This tutorial will show you how to turn on or off device encryption on a Windows 11 PC.
Device encryption is a Windows feature that enables BitLocker encryption automatically for the Operating System drive and fixed drives. It’s particularly beneficial for everyday users who want to ensure their personal information is safe without having to manage complex security settings.
When you first sign in or set up a device with a Microsoft account, or work or school account, Device Encryption is turned on and a recovery key is attached to that account. If you're using a local account, Device Encryption isn't turned on automatically.
Unlike BitLocker Drive Encryption, which is available on Windows Pro, Enterprise, or Education editions, Device Encryption is available on a wider range of devices, including those running Windows Home.
If device encryption is turned off, it will no longer automatically enable itself in the future. You must enable it manually (if wanted) in Settings.
If device encryption isn't available on your device, you may be able to turn on standard BitLocker encryption instead.
If you want to use standard BitLocker encryption instead, it's only available on supported devices running Windows 11 Pro, Enterprise, or Education.
Starting with Windows 11 build 25905, Microsoft have adjusted the prerequisites (removal of Modern Standby/HSTI validation and untrusted DMA ports check) for enabling device encryption so that it is automatically enabled when doing clean installs of Windows 11.
References:
Device Encryption in Windows - Microsoft Support
BitLocker overview
BitLocker drive encryption in Windows 11 for OEMs
You must be signed in as an administrator to turn on or off device encryption.
Device encryption uses XTS-AES 128-bit BitLocker encryption method and cipher strength by default in Windows 11. If you would like to use a stronger XTS-AES 256-bit BitLocker encryption method and cipher strength, then you will need to change the BitLocker encryption method and cipher strength before turning on device encryption. If device encryption is already turned on, then you would need to turn off device encryption, change the BitLocker encryption method and cipher strength, and then turn on device encryption.
Device encryption should be suspended or turned off before flashing the system BIOS and when a motherboard or system drive replacement is expected.
EXAMPLE: Device encryption turned on:
1 Open Settings (Win+I).
2 Click/tap on Privacy & security on the left side, and click/tap on Device encryption on the right side. (see screenshot below)
The Device encryption setting will not be available if you are not currently signed in as an administrator.
If you do not have Device encryption available, then your PC doesn't support device encryption. You may be able to turn on standard BitLocker encryption instead.
Open Device encryption settings
3 Turn on Device encryption. (see screenshot below)
4 You will now see Encryption is in progress until finished. (see screenshot below)
This may take a while to finish. Do not turn off your PC until device encryption has successfully finished.
5 When finished, you can close Settings if you like.
6 It is highly recommended that you now backup the BitLocker recovery key used for Device Encryption. You will need to know this BitLocker recover key if you should ever be prompted for it to gain access to your Windows drive.
1 Open Settings (Win+I).
2 Click/tap on Privacy & security on the left side, and click/tap on Device encryption on the right side. (see screenshot below)
The Device encryption setting will not be available if you are not currently signed in as an administrator.
If you do not have Device encryption available, then your PC doesn't support device encryption.
Open Device encryption settings
3 Turn off Device encryption. (see screenshot below)
4 Click/tap on Turn off to confirm. (see screenshot below)
5 You will now see Decryption is in progress. until finished. (see screenshot below)
This may take a while to finish. Do not turn off your PC until decryption has successfully finished.
6 When finished, you can close Settings if you like.
That's it,
Shawn Brink
- Check Device Encryption Support in Windows 11
- Check BitLocker Drive Encryption Status of Drive in Windows 11
- Change BitLocker Drive Encryption Method in Windows 11
- Turn On BitLocker for Operating System Drive in Windows 11
- Suspend or Resume BitLocker Protection for Drive in Windows 11
- Back up BitLocker Recovery Key in Windows 11
- Find BitLocker Recovery Key in Windows 11
- Add or Remove Manage BitLocker Context Menu in Windows 11