On the 8th of May I received a new 128GB SSD and 4GB RAM Surface 3, one day after it was released in the UK. I bought the device because sources said it has inbuilt encryption though details were sketchy.
An excellent device along with the keyboard cover. Encryption is by default turned on unlike Windows 8.1 Pro where it requires a manual setup. To complete encryption you have to enter your Microsoft account details.
By continuing the recovery key is uploaded to the Microsoft cloud and you cannot fully enable encryption without doing it.
By giving Microsoft the keys they could decrypt the device or if a government agency subpoenaed do the same.
Good on them for enabling default encryption. How about a non-cloud backup option Microsoft?
In the end I decrypted the drive and used a licensed 3rd party product.