Microsoft is enabling BitLocker device encryption by default on Windows 11

 



 Clean installs of Windows 11 version 24H2 now have BitLocker device encryption enabled.

Microsoft is making BitLocker device encryption a default feature in its next major update to Windows 11. If you clean install the 24H2 version that’s rolling out in the coming months, device encryption will be enabled by default when you first sign in or set up a device with a Microsoft account or work / school account.

Device encryption is designed to improve the security of Windows machines by automatically enabling BitLocker encryption on the Windows install drive and backing up the recovery key to a Microsoft account or Entra ID.

In Windows 11 version 24H2, Microsoft is reducing the hardware requirements for automatic device encryption, opening it up to many more devices — including ones running the Home version of Windows 11. Device encryption no longer requires Hardware Security Test Interface (HSTI) or Modern Standby, and encryption will also be enabled even if untrusted direct memory access (DMA) buses / interfaces are detected.

The new device encryption setting in Windows 11, version 24H2.
The new device encryption setting in Windows 11, version 24H2.
 Image: Microsoft

The latest Windows 11 version 24H2 update comes preinstalled on Microsoft’s range of Copilot Plus PCs and is expected to be available on existing machines in late September. That means if you clean install Windows 11 later this year or buy a new PC with 24H2 installed, BitLocker device encryption will be enabled by default. If you just upgrade to 24H2, Microsoft won’t enable device encryption automatically.

The feature could impact SSD performance on some devices. Tom’s Hardware tested this software version of BitLocker last year and found it could slow drives by up to 45 percent. We’ve asked Microsoft repeatedly since early May to comment on BitLocker device encryption being enabled by default, but the company has only confirmed its plans through support documents where there is no mention of any potential performance impacts.

Screenshot of Windows 11’s device encryption
You’ll need a Microsoft account to enable device encryption.
 Screenshot by Tom Warren / The Verge

You can avoid automatic device encryption if you’re using a local account on a clean Windows 11 version 24H2 install. When you first set up a new machine and log in with a local account, you’ll be prompted to sign in with a Microsoft account to finish encrypting the device. BitLocker can still be manually enabled using the BitLocker Control Panel on local accounts, though. You can also disable device encryption through a toggle in the privacy and security section of Windows 11’s settings interface.

Microsoft set out to improve security in Windows 11 in a meaningful way by requiring modern processors, Secure Boot, and TPM (Trusted Platform Module) chips. These requirements, while controversial, allowed Microsoft to also enable its virtualized Memory Integrity feature by default two years ago to better protect Windows 11 systems from malicious code.