Tutorial: How to Enable or Disable Device Encryption on Windows 11 and Where to Find Your Recovery Key

Microsoft supports device encryption on both Windows 10 and 11, with OEMs often deciding whether to enable it by default on Windows 10, whereas on Windows 11, device encryption is enabled by default universally.

The advantage of enabling device encryption lies in enhanced security. Essentially, device encryption is disk encryption. Once encrypted, the disk cannot be read if removed and placed in another PC, significantly boosting security.

However, many users are unaware that device encryption is enabled by default and that if they do not use a Microsoft account to log in, the encryption key is not saved. In such cases, data recovery can become problematic if issues arise.

Devices That Default to Device Encryption:

Device encryption essentially uses Microsoft Bitlocker for hard drive encryption and is enabled by default on devices with a Trusted Platform Module (TPM) after secure boot is activated.

When device encryption is initiated, the system does not prompt the user, nor does Microsoft remind offline account users to back up their encryption key. Only when users access the device encryption settings page are they prompted to log in to their account.

A Confusing Aspect:

During tests on Windows 11 LTSC 2024, after installation and navigating to the device encryption page, the option was enabled by default. However, a prompt at the top suggested logging into a Microsoft account to complete the encryption process. At this point, even though the device encryption option was enabled, the hard drive was not encrypted and displayed as awaiting activation of the encryption process.

This indicates that the encryption process is only truly enabled after logging into a Microsoft account. My testing seems to differ from some users' experiences, where devices were encrypted successfully without logging in, and no prompt for backing up the key appeared.

This discrepancy could be due to updates in the newer Microsoft versions or differences in the LTSC version settings, which might require further testing with an older version of Windows 11.

In our tests, we noticed a new situation: when device encryption is enabled without logging in, Bitlocker shows that it is waiting for encryption activation. However, if device encryption is then disabled, it shows that the device is decrypting, meaning the disk was indeed encrypted without any prompt for backing up the recovery key.

👆Start device encryption without logging in. Although Bitlocker is actually encrypting, it will then display "Waiting for activation"

How to Enable or Disable Device Encryption:

If your device comes with a TPM chip and supports device encryption, you can find the option under Windows 11 settings in Security & Privacy > Device Encryption. Here, you can see whether device encryption is enabled or disabled.

If you do not see the device encryption option under Security & Privacy, it means your PC does not have a TPM chip or is not using secure boot, which are necessary for device encryption.

👆Log in to your Microsoft account and complete encryption, then you can check the recovery key in the account center

How to Find Your Recovery Key:

If you enable device encryption and log into your Microsoft account, the Microsoft Bitlocker recovery key is automatically stored in your Microsoft account. In case of issues requiring data decryption, you can retrieve the decryption key from your Microsoft account.

To do so, log into your Microsoft account's personal center page, click on Devices, then on Bitlocker Recovery Key. Here, you'll find the key creation time, device name, etc. Copy the key for decryption.

If your device is encrypted and you haven't logged into a Microsoft account, it's likely you'll never find the recovery key. In such scenarios, there's no solution; relying on brute force to crack Bitlocker is impractical, and the data can only be considered lost.