David Schlachter

Windows 11 Device Encryption on the Lenovo T480

Starting with Windows 11, user data can be encrypted without requiring a Pro/Enterprise/Education version. However, if you don't see device encryption in the Settings app, Microsoft says you're out of luck:

If Device encryption doesn't appear, it isn't available.

On my T480 running Windows 11, I found that all I needed to do to enable device encryption was to disable Thunderbolt in the BIOS.

If Device Encryption doesn't show up in the "Privacy & security" section of the Settings app, you can find out what's wrong by opening the System Information app as an administrator. The "Device Encryption Support" item (near the bottom of the Summary) will have a status message. If you're reading this, it's probably not "Meets prerequisites". Mine was "Reasons for failed automatic device encryption: Un-allowed DMA capable bus/device(s) detected".

For more details, you can open the Event Viewer to see which device is allowing direct memory access (DMA). For me, this was the Thunderbolt controller. Windows will only allow device encryption if Thunderbolt is present if kernel DMA protection is supported. However, this doesn't appear to be the case on the T480 — System Information shows it as "Off" regardless of toggling any BIOS settings.

To resolve the issue, you can either manually add your non-compliant devices to an exception list, or you can simply disable Thunderbolt in the BIOS. Since I don't use any Thunderbolt devices, I went with this route. (Be sure to set a supervisor password on the BIOS to prevent the setting from being toggled.)