If you want to keep personal files, work documents, and saved passwords protected, Windows 10 encryption is one of the most effective built-in defenses.
This guide explains how to turn on encryption on Windows 10 PC and how to tell whether your device supports Device Encryption or BitLocker.
What Windows 10 encryption actually does
Encryption turns readable data into unreadable code unless someone has the correct key or sign-in credentials.
On a Windows 10 PC, this mainly helps protect data if the device is lost, stolen, or accessed without permission.
Windows 10 typically offers two built-in encryption options:
- Device Encryption: A simplified automatic feature available on some devices, often with hardware support such as TPM 2.0.
- BitLocker Drive Encryption: A more advanced tool available on Windows 10 Pro, Enterprise, and Education editions.
Both options can help protect the system drive and, in many cases, additional drives or removable storage.
Check whether your Windows 10 PC supports encryption
Before you try to enable encryption, confirm your PC has the required hardware and edition.
This saves time and explains why some systems show Device Encryption while others only support BitLocker.
Check your Windows edition
Open Settings, then go to System, and select About.
Under Windows specifications, look for the edition name.
- Windows 10 Home: May support Device Encryption on select devices.
- Windows 10 Pro: Supports BitLocker.
- Windows 10 Enterprise/Education: Supports BitLocker.
Check for TPM and Secure Boot support
Trusted Platform Module, or TPM, is a security chip that helps store encryption keys safely.
Many modern PCs also use Secure Boot, which helps prevent unauthorized startup changes.
To check TPM status, press Windows key + R, type tpm.msc, and press Enter.
If TPM is available and ready, you will see its status in the management console.
You can also check system firmware settings by restarting the PC and entering BIOS or UEFI.
Look for TPM, Security Device Support, Intel PTT, or AMD fTPM options.
How to turn on encryption on Windows 10 PC using Device Encryption
If your device supports Device Encryption, the process is simple and often automatic once you sign in with a Microsoft account.
This is the easiest path for many Windows 10 Home users.
- Open Settings.
- Select Update & Security.
- Choose Device encryption from the left menu.
- If the option appears, switch it On.
If you do not see Device encryption, your PC may not support it, or the feature may be disabled in firmware.
In that case, BitLocker may still be available on a Pro or Enterprise edition.
When Device Encryption is enabled, Windows saves the recovery key to your Microsoft account in many cases.
That key is critical if you ever need to unlock the device after a hardware change or recovery event.
How to turn on encryption on Windows 10 PC with BitLocker
BitLocker gives more control than Device Encryption and is the standard choice on Windows 10 Pro.
It can encrypt the operating system drive and, optionally, additional fixed or removable drives.
Enable BitLocker on the system drive
- Open Control Panel.
- Go to System and Security.
- Select BitLocker Drive Encryption.
- Next to the drive you want to protect, click Turn on BitLocker.
Windows will check your system and may ask you to prepare a startup method or confirm that TPM is ready.
Follow the prompts to continue.
Choose how to unlock the drive
For the operating system drive, BitLocker may use TPM automatically.
Depending on policy and configuration, you may also be asked to set a PIN or startup key for stronger protection.
Common unlock methods include:
- TPM only: Convenient and transparent during normal startup.
- TPM + PIN: Adds an extra credential at boot.
- Startup key on USB: Less common, but supported in some setups.
Save your recovery key
This step is essential.
If you lose the recovery key, you may lose access to the encrypted drive.
Windows usually offers several recovery-key storage options:
- Save to your Microsoft account
- Save to a USB flash drive
- Save to a file on another drive
- Print the recovery key
Choose at least one secure backup location, and preferably more than one.
Keep the recovery key separate from the protected PC.
Select how much of the drive to encrypt
Windows may ask whether to encrypt only used space or the entire drive.
This decision matters, especially on new versus older computers.
- Encrypt used disk space only: Faster and suitable for new PCs.
- Encrypt entire drive: Better for older systems or drives that may contain remnants of deleted data.
Start encryption
After you confirm your settings, Windows begins encrypting the drive in the background.
You can keep using the PC while the process runs, although performance may be slightly slower on some systems.
Depending on drive size and speed, encryption can take minutes or several hours.
SSDs usually complete faster than traditional hard drives.
How to verify that encryption is enabled
After setup, confirm that your device is actually protected.
This is an important step because encryption should be verified, not assumed.
For BitLocker, return to BitLocker Drive Encryption in Control Panel.
The drive status should show On or indicate that protection is active.
You can also open Command Prompt as an administrator and run:
manage-bde -status
This command shows whether BitLocker protection is enabled and lists the encryption method, conversion status, and protection status.
How to encrypt external drives and USB devices
If you use portable storage, consider protecting it as well.
BitLocker To Go can encrypt removable drives such as USB flash drives and external hard drives.
- Insert the removable drive.
- Open Control Panel and go to BitLocker Drive Encryption.
- Find the removable drive and select Turn on BitLocker.
- Choose a password or smart card unlock method.
- Save the recovery key and start encryption.
This is especially useful for laptops, contractor devices, and any workflow where data regularly leaves the office network.
What to do if you do not see encryption options
If Device Encryption or BitLocker is missing, there are usually a few reasons.
The most common are unsupported Windows edition, missing TPM, disabled firmware settings, or a group policy restriction.
- Confirm you are using Windows 10 Pro, Enterprise, or Education for BitLocker.
- Check that TPM is present and enabled.
- Update your BIOS or UEFI firmware if the security options are outdated.
- Make sure your Windows installation is fully updated.
On managed work PCs, an IT administrator may control encryption through Group Policy or Microsoft Intune, so local settings may be limited.
Best practices for Windows 10 encryption
Encryption works best when paired with other security habits.
These practices reduce the chance of lockout and improve protection overall.
- Use a strong Windows sign-in password or PIN.
- Keep a backup of the BitLocker recovery key in a secure location.
- Enable automatic updates so security fixes stay current.
- Use a Microsoft account if you want easier recovery-key storage.
- Consider full-disk encryption on laptops and portable devices first.
Windows 10 encryption is strongest when combined with device lock policies, secure firmware settings, and careful recovery-key management.
That combination protects data even when the physical machine is out of your control.