Device Encryption

Windows 11 includes a device encryption feature that helps protect the documents and other data that you store on your PC from being stolen or otherwise accessed by others. Device encryption is what's known as a full-disk encryption solution because it is applied to an entire disk and not just to certain folders or files. It's also automatic: device encryption is enabled on the PC when you sign in to Windows 11 using a Microsoft account for the first time.
Technically speaking, Windows 11 does not encrypt your entire system disk, which is divided into different logical volumes. Instead, it encrypts the C: drive, which is the volume that contains Windows and other system files. (This drive is often referred to as the system disk.) Any other volumes on this disk will not be encrypted (nor visible normally while using Windows 11).
If you sign in to Windows 11 with a local account, which we do not recommend, device encryption will not be enabled automatically. This is only one of many reasons why using a Microsoft account is more secure.
Oddly, there are two versions of device encryption, and which you get is determined by which Windows 11 product edition you are using. If you have Windows 11 Home, you have a basic, streamlined version of device encryption. But if you have Windows 11 Pro, you get a more configurable and manageable version called BitLocker drive encryption. Both share the same underpinnings, but BitLocker includes additional features as described below.

For the most part, using device encryption is seamless and not something you will notice. But it is important to understand that any files that you copy or move to an encrypted disk are encrypted during the copy or move process. Likewise, any files that you copy or move from an encrypted disk are decrypted during that process as well. Decrypted files can be read or used by anyone, on any PC.
When enabled, device encryption also provides some additional functionality to the system disk on which Windows is installed. For example, when the PC boots, it will examine the integrity of the system to ensure that nothing suspicious has happened to the PC's firmware or startup files. If an issue is found, you'll be prompted to provide the recovery key, which was saved to your Microsoft account and is like a very lengthy password. (This is discussed below.)
Manage device encryption
Device encryption doesn't offer much in the way of management: this feature is enabled for you automatically when you sign into Windows 11 using a Microsoft account. However, you can ensure that device encryption is enabled and even disable this feature---which we do not recommend---using the Settings app.

To do so, open Settings (WINKEY + I) and navigate to Privacy & security > Device encryption.

If you just signed into Windows 11 for the first time, you may see an "Encryption is in progress" message at the top of this Settings page. That message will disappear when Windows 11 finishes encry...

Gain unlimited access to Premium articles.

With technology shaping our everyday lives, how could we not dig deeper?

Thurrott Premium delivers an honest and thorough perspective about the technologies we use and rely on everyday. Discover deeper content as a Premium member.

Tagged with

Share post

Please check our Community Guidelines before commenting

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Thurrott © 2024 Thurrott LLC