Microsoft is enabling BitLocker device encryption by default in Windows 11

Microsoft is making BitLocker device encryption a standard feature in its next major update to Windows 11. If you do a clean install of version 24H2 that will be released in the coming months, device encryption will be enabled by default when you sign in or set up a device for the first time with a Microsoft account or work/school account.

Device encryption is designed to improve the security of Windows machines by automatically enabling BitLocker encryption on the Windows installation drive and backing up the recovery key to a Microsoft account or Entra ID.

In Windows 11 version 24H2, Microsoft is reducing the hardware requirements for automatic device encryption, opening it up to many more devices – including those running the Home version of Windows 11. Device encryption no longer requires Hardware Security Test Interface (HSTI) or Modern Standby, and encryption will also be enabled even if untrusted direct memory access (DMA) buses/interfaces are detected.

The latest Windows 11 version 24H2 update comes pre-installed on Microsoft’s Copilot Plus line of PCs and is expected to be available on existing machines in late September. This means that if you install Windows 11 later this year or buy a new PC with 24H2 installed, BitLocker device encryption will be enabled by default. If you upgrade to 24H2, Microsoft will not automatically turn on device encryption.

The feature may affect SSD performance on some devices. Tom’s Hardware tested this software release of BitLocker last year and found that it could slow drives by up to 45%. We’ve repeatedly asked Microsoft since early May for comment on BitLocker device encryption being enabled by default, but the company only confirmed its plans via supporting documents where there is no mention of any potential performance impacts.

You can prevent automatic device encryption if you are using a local account on a clean installation of Windows 11 version 24H2. When setting up a new machine for the first time and signing in with a local account, you will be prompted to sign in with a Microsoft account to complete device encryption. However, BitLocker can still be enabled manually using the BitLocker Control Panel on local accounts. You can also disable device encryption by toggling in the privacy and security section of the Windows 11 settings interface.