What BitLocker Automatic Device Encryption? How to activate and deactivate it? This article also explains why drives are automatically encrypted without the user's knowledge and how to find recovery keys.
Some Windows users have found that their drives are automatically encrypted without the user's knowledge. By gathering information from forums, EaseUS Software will explain in this article why drives are automatically encrypted without the user's permission, how to disable BitLocker Automatic Device Encryption, and how to find the recovery key.
✨Apply to: Dell/Lenovo/Surface
If this article helped you, please don't hesitate to share it with as many people as possible.
In this part, you will know what BitLocker automatic device encryption is and what it does.
Automatic Device Encryption is a feature-restricted version of BitLocker. It starts the first time you set up a supported device and automatically encrypts internal drives when you sign in with your Microsoft account or Azure Active Directory account. The entire process requires no user intervention, so the user has no knowledge of the BitLocker recovery key.
Unlike BitLocker Drive Encryption, which encrypts the entire disk, BitLocker Device Encryption encrypts only the system drive and secondary drive. It saves the recovery key to the Microsoft account or Active Directory so that users can access it from any computer.
BitLocker Drive Encryption ensures that drives cannot be tampered with while the operating system is offline. BitLocker Automatic Device Encryption utilizes BitLocker Drive Encryption to automatically encrypt the internal drive after the user completes an out-of-the-box experience (OOBE) on a device that meets the hardware requirements. That's why some Windows users have reported experiencing a BitLocker recovery blue screen at PC startup when they're pretty sure they've never manually enabled BitLocker before.
However, BitLocker Automatic Device Encryption kicks in during the out-of-the-box (OOBE) experience. However, BitLocker Automatic Device Protection is enabled only after the user logs in with a Microsoft account or Azure Active Directory account. Until then, protection is suspended, and data will not be protected.
BitLocker Automatic Device Encryption automatically turns on Encryption only when the following two prerequisites are met:
So, what are the system conditions and hardware requirements for turning on BitLocker Automatic Device Encryption? Starting with Windows 11 version 24H2, Microsoft has lowered the hardware requirements for Automatic Device Encryption (Auto-DE) in Windows, as shown in the table:
| 🛡️Hardware | ⚒️System |
|---|---|
|
|
Well, how do you check if your computer meets the hardware requirements mentioned in this table? Check the quick steps here:
Even if your computer meets the system and hardware requirements of the BitLocker Device Encryption feature, it also doesn't automatically encrypt the drive if you're logged in with a local account during setup (which is one way to prevent BitLocker from turning on automatically). You can manually enable/disable BitLocker Device Encryption as needed. This section will provide you with a step-by-step guide.
Should I disable BitLocker automatic device encryption? Depends on your individual needs for security and convenience. If you prioritize manual control of encryption settings and need compatibility with other operating systems, disabling may be appropriate. Conversely, if data protection is critical and you can easily manage recovery keys, it may be helpful to leave it enabled. Whatever, this part will introduce how to disable or reenable Bitlocker automatic device encrytption
Check the following steps on how to disable BitLocker device encryption:
On Windows 10
Here is how to turn off device encryption Windows 10:
On Windows 11
Here is how to turn off device encryption Windows 11:
Here is how to turn on BitLocker device encryption:
On Windows 10:
On Windows 11:
As with BitLocker Drive Encryption, Automatic Device Encryption generates a BitLocker Recovery Key that is used to unlock the encrypted drive if other authentication methods fail. However, when Device Encryption meets the requirements we mentioned above, it is automatically enabled, and the user is unaware of the entire process, so they don't even know that Device Encryption is turned on. That's why some users get confused when a BitLocker recovery key is needed to access drive data.
But don't worry; you can still retrieve the BitLocker recovery secret key from your Microsoft account or Azure Active Directory account. The device is automatically encrypted to be associated with your Microsoft account or Azure Active Directory account, so your recovery key is stored in it. Therefore, you can recover the key by logging in to your Microsoft account on another computer or accessing your Azure Active Directory account.
The best option for beginners is EaseUS Partition Master. It can help create a bootable USB on another PC and one-click bypass the BitLocker Recovery screen:
Step 1. First, connect a USB to the PC running properly. Launch EaseUS Partition Master, navigate to "Bootable Media" section, and click "Create bootable media" option. Click "Next" to continue.
Step 2. Select the target USB drive and click "Create" to continue. Please back up your data in advance since this will erase all data on the USB drive. Then, click "yes" to confirm when you see the warning. Do not exit EaseUS Partition Master until it's done.
Step 3. Connect the bootable USB to the BitLocker encrypted PC and restart PC. During the reboot, press the BIOS key (F2/F8/F12/DEL/ESC) to access BIOS and set the bootable USB as the boot drive. This PC will automatically boot from the USB disk.
Step 4. EaseUS Partition Master will automatically unlock the BitLocker encrypted drive and you can see a "unlock" icon.
Step 5. Hover the mouse on the BitLocker partition; you can see more info of this partition and manage the BitLocker partition such as locking it or turning off BitLocker.
If you are unexpectedly asked for your BitLocker Recovery Key and you don't think you have it enabled yet, it is likely that device encryption has been turned on automatically.
You can use EaseUS Partition Master to help you skip this step and boot into Windows normally. You can also access your Microsoft account and Azure Active Directory account to find the recovery key. If this article was helpful to you, please share it to help more people.
Many Dell and Lenovo users say that when they start their computers, BitLocker asks for a recovery key, and they don't have a clue. If you are also experiencing this issue, read on to learn more.
1. What does BitLocker automatic device encryption do?
BitLocker automatic device encryption uses BitLocker drive encryption technology to automatically encrypt internal drives after the user completes the Out Of Box Experience (OOBE) on devices that meet hardware requirements.
2. What is the difference between suspending and disabling Encryption?
Suspending BitLocker disables BitLocker protection. The drive remains encrypted, but BitLocker uses an unprotected clear key to allow access. Disabling BitLocker will completely remove Encryption from the drive. The data will be decrypted, and BitLocker protection will be turned off.
3. What causes BitLocker to go into recovery mode when attempting to boot an operating system drive?
BitLocker may enter recovery mode for various reasons related to hardware, software, or authentication. Common reasons are listed below:
Related Articles
Fix Not Enough Disk Space But There Is Plenty [Five Solutions]
Easily Solved: Windows 10 Media Creation Tool Not Working
Simple Guide on Running USB 3.0 Speed Test in 2025
Fix 'Low Disk Space' Error in Windows Server 2019/2016