All PCs that were designed for Windows 10 or Windows 11 support strong data encryption. On devices running any edition of Windows 10 or Windows 11, you can use a feature called device encryption, which works only on the system drive. PCs running the Pro, Enterprise, or Education editions of Windows include a more feature-rich version of this feature, called BitLocker Drive Encryption; it works with secondary drives and removable drives in addition to the system drive.
Also: Where’s your BitLocker recovery key? How to save a copy before the next Windows meltdown
Why does encryption matter? An attacker who steals your PC (or even gains unauthorized access to it when you step away) can use a variety of tricks to try to access the data on that PC. For example, they can use a USB flash drive to boot an alternate operating system and try to read the drive; if the data on that drive is stored without encryption, they have access to everything, including saved email messages, photos, and documents like tax returns and downloaded bank statements.
With the system drive encrypted, an attacker who steals your device but doesn’t have your sign-in credentials is completely locked out of your data. If they try to boot using an alternate operating system, they’ll be prompted to enter a 48-digit recovery key to gain access to the system drive. Without that key, the data is literally unreadable.
Hardware requirements for encrypting
The requirements for encrypting a system drive on a Windows 11 or Windows 10 PC are fairly simple. Your hardware must include a Trusted Platform Module (TPM) chip, version 1.2 or later; the device must be configured using UEFI firmware and not a Legacy BIOS; and Secure Boot must be enabled.
To use the BitLocker Drive Encryption management tools, you must be running a business edition of Windows 10 or Windows 11: Pro, Enterprise, or Education. (It’s possible to enable BitLocker without a TPM, using a USB flash drive to store the encryption key, but I don’t recommend it.)
Also: You don’t need to pay for antivirus software – here’s why
Pretty much every PC sold since 2017 has included a TPM.
To see whether your PC has a TPM chip (and, if so, which version), follow these steps:
- Right-click Start and then click Device Manager on the Quick Link menu.
- In Device Manager, look for the heading Security Devices. If it doesn’t exist, your system isn’t equipped with a TPM.
- If the Security Devices heading exists, expand it to show Trusted Platform Module hardware, including version number, like the one shown here.
If you can pass those hardware tests, you can encrypt the system drive.
Turn on device encryption
On PCs that have a single main storage device (aka drive C:), where you’ve signed in with a Microsoft account, the option to turn on device encryption is impressively simple. Go to Settings > Privacy & Security > Device Encryption and turn on the switch. That’s it.
If you see a message that says device encryption is suspended, make sure you’ve ejected all removable media, including mounted ISO files. Then restart your computer.
<!–>
Turn on BitLocker Drive Encryption
For those who chose not to sign in with a Microsoft account but opted for a local account instead, the device encryption option isn’t available. As long as you’re running a business or education edition of Windows, you can still enable encryption on the system drive using the BitLocker Drive Encryption management tools.
The simplest option is to use the BitLocker Encryption Wizard, which includes its own compatibility checker.
Open File Explorer, click This PC, right-click the icon for your system drive (C:), and then click Turn on BitLocker. If your system doesn’t meet the specifications, you’ll get an error message. If everything’s clear, you can follow the wizard’s prompts to save your recovery key and begin the encryption process.
Also: You can still upgrade old PCs to Windows 11, even if Microsoft says no: Readers prove it
On a system that supports the full set of BitLocker management tools, you can also choose to encrypt secondary drives. Click Start, type BitLocker in the search box, and then click the Manage BitLocker option. There, you can enable, disable, suspend, and resume encryption for any available drive.
Oh, and regardless of which option you choose, be sure to back up your recovery key!
–>