Device Encryption (24H2)

Windows 11 includes a full-disk encryption feature called Device encryption that protects the data on your system drive. Device encryption uses Microsoft BitLocker technologies, and it's enabled automatically the first time you sign in to Windows 11 using a Microsoft account (or Microsoft Work or school account).
Technically speaking, Device encryption does not encrypt your entire system disk, which is divided into different logical volumes or partitions. Instead, it encrypts the C: drive, which is the volume that contains Windows and other system files. (This drive is often referred to as the system disk.) Any other volumes on this disk will not be encrypted (nor visible normally while using Windows 11).
If you sign in to Windows 11 with a local account, Device encryption will be enabled automatically but not activated (or, fully enabled). If you are using Windows 11 Home, you can only activate Device encryption by signing in to Windows (at least once) with a Microsoft account.
With Windows 11 Pro, you can use the BitLocker control panel, described later in this chapter, to activate Device encryption.
For the most part, Device encryption is seamless and not something you will notice. But it is important to understand that any files that you copy or move to an encrypted disk are encrypted during the copy/move process. Likewise, any files that you copy or move from an encrypted disk are decrypted during that process as well. Decrypted files can be read or used by anyone, on any PC.
When enabled, Device encryption also provides some additional functionality to the system disk on which Windows is installed. For example, when the PC boots, it will examine the integrity of the system to ensure that nothing suspicious has happened to the PC's firmware or startup files. If an issue is found, you'll be prompted to provide the recovery key, which was saved to your Microsoft account (or Work and school account) in the form of a very lengthy text-based password. (This is discussed below.)
Manage device encryption
Device encryption doesn't offer much in the way of management: This feature is enabled for you automatically when you sign in to Windows 11 using a Microsoft account. However, you can ensure that device encryption is enabled and even disable this feature--which we do not recommend--using the Settings app.

To do so, open Settings (WINKEY + I) and navigate to Privacy & security > Device encryption.

If you just signed in to Windows 11 for the first time, you may see an "Encryption is in progress" message at the top of this Settings page. That message will disappear when Windows 11 finishes encrypting the system disk.
Here, you will find a toggle for device encryption and links to "BitLocker drive encryption" and "Find your BitLocker recovery key," the latter of which launches your default web browser and displays an informational website.
If you are using Windows 11 Pro, the "BitLocker drive encryption" link will open the Bi...