Windows 11 is here and has some new bells and whistles. One notable change was the focus on security and privacy. For example, the TPM 2.0 chip was made mandatory, and device-wide encryption was enabled by default. However, for some Windows 11 Home users, the Device Encryption option is completely missing in Settings. Why is that happening, and how do we fix it?
Why Is Device Encryption Missing In Windows 11 Home?
In order to understand why Device Encryption is missing for some users, we first need to dig in to sleep mode and Modern Standby.
Sleep mode, when enabled, allows users to wake up their computer quickly. This eliminates the need to boot from scratch. When the computer enters sleep mode, it is locked and encrypted.
To encrypt data in Windows 11 Home, Microsoft uses BitLocker – but not the full version with the advanced features, as that’s reserved for Windows 11 Pro. This results in longer wake times, so Microsoft added Modern Standby. It keeps certain processes and programs running in the background when a PC is in sleep mode. To access these processes and programs, Modern Standby needs to decrypt data that is encrypted automatically in sleep mode.
Modern Standby is directly linked to the device encryption feature in Windows 11 Home. It needs this access to perform its job. So what’s the problem?
As it turns out, Modern Standby is missing on some Windows 11 Home computers. When this happens, the Device Encryption option is also missing since the two are connected. Basically, it’s a bug, one that prevents your Windows 11 Home computer from encrypting data when the computer is in sleep mode, hibernation, locked, idle, or shut down. It is not clear why yet, but the bug only affects some Windows 11 Home computers.
Note that Modern Standby is not the same as sleep mode. They are two separate features with two separate, albeit related, jobs. Sleep mode puts your computer to sleep, while Modern Standby keeps certain processes running to improve wake-up times. Even if Modern Standby is missing, sleep mode will work perfectly on your computer – it just won’t be able to encrypt data, and wake-up times will be slightly longer.
How to Know If Device Encryption Is Missing on Your Windows 11 Home
There are a few ways to find out whether encryption is working on your Windows 11 Home computer.
Open “My Computer,” and if you see an unlock icon on the C: drive, the drive is encrypted. It could be another drive, but the C: drive is usually where the operating system and important apps and files are stored.
Another way is to check for Device encryption settings.
Open “Windows Settings” and go to “Settings -> Privacy & security.” If you can’t see Device encryption listed as in the screenshot below, it is missing due to the Modern Standby conflict.
You do need to satisfy some criteria for the encryption to work on Windows 11 Home. Otherwise, you won’t even see the option to enable/disable it. Let’s take a look at that criteria.
Prerequisites for Encryption to Work on Windows 11
Whether you are using a Home or Pro license of Windows 11, you will need to fulfill certain conditions before you can use encryption:
- TPM Module 2.0 (Trusted Platform Module) with support for Modern Standby
- TPM must be enabled
- UEFI (Unified Extensible Firmware Interface) firmware
Also read this tutorial on how to check and enable the TPM 2.0 hardware chip on your computer’s motherboard.
How Device Encryption Works on Windows 11 Home
If you do have the Device Encryption option within Windows 11 Home Settings, follow these steps to encrypt data on your computer:
- Press Win + I keys to navigate to “Settings-> Privacy & security.” Click on “Device encryption.”
- Toggle the Device encryption button to “On.”
Again, if you don’t see this option, it means device encryption is not working on your computer.
Alternative Ways to Encrypt Data on Windows 11 Home
If Device encryption isn’t available in your PC running Windows 11 Home, these options to encrypt your data or even your entire hard drive may help.
1. Encrypt and Store Data Safely Using OneDrive
OneDrive comes with a unique feature: Personal Vault. It is a special folder created by default inside the OneDrive primary folder, which is encrypted by default. You can store any and all file formats inside it. The free version of OneDrive only supports storing up to three pretty limited files, so you will need to upgrade.
On the plus side, your data is encrypted and stored in the cloud, so even if something does happen to your computer, you can access it on another computer. It works on Android and iOS too. We also recommend enabling 2FA for your Microsoft account.
2. Encrypt Windows Computer Using VeraCrypt
It is based on an older version of TrueCrypt that is now defunct. VeraCrypt is updated from time to time and supports other OS too, like Linux and macOS.
Download and install the app just like any other Windows app. Once done, launch the app and click on “Encrypt System Partition/Drive” under the “System” tab.
You will be asked to choose between “Normal” and “Hidden.” Normal mode means VeraCrypt will encrypt the system partition, usually C drive, and create a password. Every time you want to access the drive, you need to input the password.
Hidden creates a new volume with a decoy OS. This gives you two drives with two operating systems: one is real and the other a decoy. If someone forces you to enter a password, you can give access to the decoy drive with fake data. This is for more advanced users.
Click on “Next” and follow the on-screen instructions according to what you selected in the previous step. If you have selected Hidden, you will be asked to choose a location for the decoy volume to be created.
If you have Windows installed in one drive and other data in a different drive, select “Encrypt the Windows system partition.” If you select “Encrypt the whole drive,” it will also encrypt other partitions that you may have created to better manage files and folders.
You may be asked to choose between single-boot and multi-boot. Select single-boot if you only have Windows OS installed. Select multi-boot if you have multiple OS, such as Ubuntu, installed. In my case, it detected single-boot automatically.
You will now see encryption options. The default options of AES and SHA-512 are good for most users, other than those who are more advanced.
We recommend choosing a strong password and jotting it down somewhere safe or memorizing it. Losing the password can render the drive locked forever.
The following are some additional options.
- Use keyfiles – adds an additional layer of security by asking you to show some files stored on the pen drive. For example: before accepting the password. If you lose the selected files, you can’t decrypt the drive/partition.
- Display password – Simply show the password you have entered so that you know and can confirm it one last time before moving forward.
- Use PIM – Like keyfiles, this also adds a layer of protection. Here, you will enter a number that you will have to enter every time you enter the password. A higher value can help protect from brute force attacks, too.
On the next screen, VeraCrypt will ask you to move the mouse’s cursor on the screen randomly until the meter below is filled. This collects random data to fill the space around encryption keys to protect them. Just move the mouse around randomly and click on “Next” when the meter shows as full.
It is unclear how many users are facing this issue. Microsoft has yet to release some kind of statement or acknowledge the issue. There are no fixes available as of yet. For now, if you need to encrypt data, use OneDrive, VeraCrypto or NordLocker. Alternatively, you could upgrade your Windows license to Professional as it uses the full version of BitLocker and doesn’t have this issue. Read on to learn how to install Windows 11 on unsupported drives (and why you shouldn’t).