Windows 10 sometimes uses encryption by default, and sometimes doesn’t—it’s complicated. Encryption isn’t just about stopping the NSA—it’s about protecting your sensitive data in case you ever lose your PC, which is something everyone needs.
Many new PCs that ship with Windows 10 will automatically have “Device Encryption” enabled. This feature was first introduced in Windows 8.1, and there are specific hardware requirements for this. Not every PC will have this feature, but some will.
There’s another limitation, too—it only actually encrypts your drive if you sign into Windows with a Microsoft account. Microsoft’s servers uploads your recovery key. This will help you recover your files if you ever can’t log into your PC.
If you sign into an organization’s domain, the device encryption will also be enabled. For example, you might sign into a domain owned by your employer or school. Organization’s domain servers uploads your recovery key . However, this doesn’t apply to the average person’s PC—only PCs joined to domains.
To check if Device Encryption is enabled:
- open the Settings app, navigate to System. About, and look for a “Device encryption” setting at the bottom of the About pane.
If you don’t see anything about Device Encryption here, your PC doesn’t support Device Encryption and it’s not enabled.
- If Device Encryption is enabled (or if you can enable it by signing in with a Microsoft account) you’ll see a message saying so here
For Windows Pro Users: BitLocker
If Device Encryption is not enabled, or if you want a more powerful encryption solution that can also encrypt removable USB drives, for example; you’ll want to use BitLocker, Microsoft’s BitLocker encryption tool has been part of Windows for several versions now, and it’s generally well regarded. However, Microsoft still restricts BitLocker to Professional, Enterprise, and Education editions of Windows 10.
BitLocker is most secure on a computer that contains Trusted Platform Module (TPM) hardware, which most modern PCs do.
Windows normally says BitLocker requires a TPM, but there’s a hidden option that allows you to enable BitLocker without a TPM. You’ll have to use a USB flash drive as a “startup key” that must be present every boot if you enable this option.
If you already have a Professional edition of Windows 10 installed on your PC, you can search for “BitLocker” in the Start menu and use the BitLocker control panel to enable it. If you upgraded for free from Windows 7 Professional or Windows 8.1 Professional, you should have Windows 10 Professional.
Just in case…
If you don’t have a Professional edition of Windows 10: open the Settings app. Navigate to Update & security > Activation, and click the “Go to Store” button. You’ll gain access to BitLocker and the other features that Windows 10 Professional includes.