Microsoft is set to make BitLocker device encryption a default feature in its upcoming Windows 11 24H2 update.
When users perform a clean installation of this new version, which is expected to roll out in the coming months, device encryption will automatically be enabled upon the first sign-in or setup using a Microsoft account or a work/school account.
BitLocker encryption is a security feature designed to protect Windows devices by automatically encrypting the Windows installation drive. The recovery key is securely backed up to the user’s Microsoft account or Entra ID, ensuring that data remains protected even if the device is lost or stolen.
With the 24H2 version of Windows 11, Microsoft is lowering the hardware requirements for automatic device encryption. This change makes the feature available on a wider range of devices, including those running the Home version of Windows 11. Unlike previous versions, device encryption will no longer require the Hardware Security Test Interface (HSTI) or Modern Standby. Additionally, encryption will still be enabled even if the system detects untrusted direct memory access (DMA) buses or interfaces.
The new update, which will come preinstalled on Microsoft’s Copilot Plus PCs, is expected to be available on existing devices by late September. For those who upgrade to the 24H2 version without performing a clean install, BitLocker device encryption will not be automatically enabled, although it can still be activated manually.
However, users should be aware that enabling BitLocker by default could potentially affect SSD performance. Previous tests have shown that this software version of BitLocker may slow down drives by up to 45 percent. Despite inquiries, Microsoft has only confirmed its plans to enable device encryption by default through support documents, without addressing potential performance impacts.
Users who prefer to avoid automatic device encryption can do so by using a local account during the initial setup of Windows 11 version 24H2. While the system will prompt users to sign in with a Microsoft account to complete the encryption process, it is possible to manually enable or disable BitLocker through the BitLocker Control Panel or the privacy and security settings in Windows 11.
This move is part of Microsoft’s broader effort to enhance security in Windows 11, building on previous updates that introduced requirements for modern processors, Secure Boot, and TPM chips. These features, though sometimes controversial, have allowed Microsoft to implement stronger security measures, such as enabling virtualized Memory Integrity by default to protect systems from malicious attacks.
