/
Clean installs of Windows 11 version 24H2 now have BitLocker device encryption enabled.
Share this story
:format(webp)/cdn.vox-cdn.com/uploads/chorus_asset/file/25503643/DSCF7817_Enhanced_NR_2.jpg)
Microsoft is making BitLocker device encryption a default feature in its next major update to Windows 11. If you clean install the 24H2 version that’s rolling out in the coming months, device encryption will be enabled by default when you first sign in or set up a device with a Microsoft account, or work / school account.
Device encryption is designed to improve the security of Windows machines by automatically enabling BitLocker encryption on the Windows install drive and backing up the recovery key to a Microsoft account or Entra ID.
In Windows 11 version 24H2, Microsoft is reducing the hardware requirements for automatic device encryption, opening it up to many more devices — including ones running the Home version of Windows 11. Device encryption no longer requires Hardware Security Test Interface (HSTI) or Modern Standby, and encryption will also be enabled even if untrusted Direct Memory Access (DMA) buses / interfaces are detected.
The latest Windows 11 version 24H2 update comes preinstalled on Microsoft’s range of Copilot Plus PCs, and is expected to be available on existing machines in late September. That means if you clean install Windows 11 later this year or buy a new PC with 24H2 installed then BitLocker device encryption will be enabled by default.
The feature could impact SSD performance on some devices. Tom’s Hardware tested this software version of BitLocker last year, and found it could slow drives by up to 45 percent. We’ve asked Microsoft repeatedly since early May to comment on BitLocker drive encryption being enabled by default, but the company has only confirmed its plans through support documents where there is no mention of any potential performance impacts.
:format(webp)/cdn.vox-cdn.com/uploads/chorus_asset/file/25572122/deviceencryption.png)
You can avoid automatic device encryption if you’re using a local account on a clean Windows 11 version 24H2 install. When you first set up a new machine and log in with a local account you’ll be prompted to sign in with a Microsoft account to finish encrypting the device. BitLocker can still be manually enabled using the BitLocker Control Panel on local accounts, though.
Microsoft set out to improve security in Windows 11 in a meaningful way by requiring modern processors, Secure Boot, and TPM (Trusted Platform Module) chips. These requirements, while controversial, allowed Microsoft to also enable its virtualized Memory Integrity feature by default two years ago, to better protect Windows 11 systems from malicious code.