Since Windows Vista, the upper-tier editions of Windows have supported local disk encryption via a feature called BitLocker Drive Encryption. Like the FileVault feature in newer versions of OS X or the “encrypt device” feature on many Android phones and tablets, you usually need to enable BitLocker manually to take advantage of it. Once enabled, it protects the data on your device from being accessed by someone who walks away with it.

However, some mobile devices—including those running iOS, Windows Phone 8, and Windows RT—don’t require users to take device encryption into their own hands. These operating systems can all assume that the underlying hardware supports encryption, so they enable it by default in a way that’s entirely seamless and invisible to you as you use your phone or tablet day to day. Windows 8.1 finally brings this to x86 tablets and Ultrabooks in a feature Microsoft calls “device encryption.” While it has very specific hardware requirements, the feature is designed to improve local security for Windows users without them ever needing to know about it.

What it does

Windows 8.1’s new device encryption treats your x86-based Windows tablet or laptop more like an ARM-based tablet or smartphone. Rather than requiring a user or system administrator to enable it, your device’s boot partition comes encrypted out of the box. This encryption is essentially invisible during normal use—you pick up the tablet, log in, and use it just as you would an unencrypted PC. If someone were to steal the device from you, though, they wouldn’t be able to get at any of your information without your account password or your encryption key, which in this case is protected by your account password.

When you first fire up Windows 8.1 on a PC that supports the feature, head to the “PC Info” section in the device settings screen to check your encryption status. Computers with the necessary hardware features begin encrypting the drive immediately, but the master key needed to decrypt the drive isn’t protected. A user with administrator access will have to log in with a Microsoft account, at which point the device will generate a recovery key and upload it to Microsoft’s servers. This recovery key can then be accessed from another computer with your Microsoft account if you’re ever locked out of your system. Active Directory user accounts can also be used to store the key, provided your domain administrator has enabled the proper Group Policy settings.

This is a far cry from the standard BitLocker encryption process, which requires individuals to back up and store their own key manually and must be enabled by users themselves. However, with the exception of the part where your key is uploaded to Microsoft’s servers, the underlying technology is exactly the same as it is in BitLocker. Open up the Disk Management console and your system partition will be marked as “BitLocker Encrypted,” just as if you’d gone through the steps to enable the feature manually.

The nice thing about the automated device encryption (beyond the “automated” part) is that it extends to every edition of Windows 8.1, where BitLocker is a Pro- or Enterprise-tier feature in Windows 8 and an Ultimate- and Enterprise-tier feature in Windows 7 or Vista. OS X (to pick a prominent example) offers built-in disk encryption to all Macs via FileVault, and we’re glad to see the feature slowly trickling down to the consumer-oriented Windows editions.

What you need (or, your hardware probably doesn’t support this)

A year or two from now, this invisible-to-the-user, always-available encryption option will probably be on most new Windows laptops and tablets. For Windows 8 systems that are being sold right this very minute (and for Windows 8.1-compatible systems that have been sold for the last several years), stringent hardware and firmware requirements will usually prevent them from supporting it. Here are the hardware features the passive device encryption feature needs to work:

Support for the Secure Boot feature, which implies both UEFI support and 64-bit Windows.

A Trusted Platform Module (TPM). The feature requires TPM 2.0, and most current devices use TPM 1.2.

Hardware and firmware support for Windows’ Connected Standby feature. Connected Standby allows a sleeping system to wake up periodically and refresh certain data, like e-mail messages or calendar events. Your smartphone already does the same sort of thing. Note that Connected Standby is similar in concept to Intel’s Smart Connect Technology, but Smart Connect support does not imply Connected Standby support.

Connected Standby comes with its own set of hardware requirements, including a solid-state boot volume, NDIS 6.30 support for all network interfaces, and memory soldered to the motherboard. The system must also rely on passive cooling when in Connected Standby mode, even if it normally uses a fan.

As of this writing, there are very, very few systems out there that can tick all of these boxes. The Connected Standby feature is probably the most restrictive, since it requires support in the CPU silicon itself. Intel’s latest Haswell chips and its Clover Trail and Bay Trail Atom chips support Connected Standby (AMD chips with support are supposedly due in 2014), but older chips do not. Even the Haswell Ultrabooks we’ve installed Windows 8.1 on so far have lacked Connected Standby support, so even if you have a shiny new Haswell laptop, you may be waiting on your OEM to issue a firmware update before you can use the feature.

Connected Standby’s own set of hardware requirements also means that certain types of systems—any larger laptops or desktops with removable RAM, for example—are automatically disqualified. While we’d love to see the hardware requirements loosened to include all modern PCs, as of Windows 8.1 only the newest and most integrated of PCs are eligible to use it at all.

BitLocker soldiers on

For the many systems that can’t support the new device encryption features, Windows 8.1 Pro and Enterprise still include the more traditional BitLocker drive encryption feature that has been a part of Windows since Vista. Its hardware requirements are much less onerous—it’s easiest to use if you have a TPM 1.2 module installed, but you can choose to use a USB key or a pre-boot passphrase to boot the system in PCs without TPMs. We’d only recommend the latter for tech-savvy users who value security more than convenience, but it’s still good to have the option in a pinch.

BitLocker remains an important option if you don’t want to deal with other strings attached to the new encryption features—if you’re not comfortable storing your encryption key on Microsoft’s servers via your Microsoft account, for example. BitLocker doesn’t dictate where or how you store your encryption key, making it a better choice for those who want full control over their system’s protection. If your system supports the feature and you’d like to opt out in favor of something you control, you can turn it off in the PC Info section in Windows 8.1’s settings. The automatic encryption is also opt-in if you upgrade to Windows 8.1 on a Windows 8 system that supports the feature.

Like many of the other changes in Windows 8.1, the new device encryption feature allows Windows tablets (specifically, x86 Windows tablets, in the wake of Windows RT’s disappearance from the OEMs’ lineups) to do things that other ARM tablets can already do. Tablets and Ultrabooks are easier to walk off with than larger equipment, so making automatic encryption available for those devices is only sensible.