Microsoft is taking significant strides in enhancing the security of its Windows 11 operating system with the upcoming version 24H2. This latest update will see BitLocker device encryption become a standard feature for users performing clean installations. Upon signing in or setting up a device with a Microsoft or work/school account, users will find that device encryption is automatically enabled.
Enhancements in Device Encryption
BitLocker encryption is designed to fortify the security of Windows machines by automatically encrypting the installation drive and securely backing up the recovery key to a Microsoft account or Entra ID. Notably, Microsoft has made strides to lower the hardware requirements for automatic device encryption, making it accessible to a broader range of devices, including those running the Home version of Windows 11. The new update eliminates the previous requirements for Hardware Security Test Interface (HSTI) and Modern Standby, allowing encryption to be activated even when untrusted direct memory access (DMA) buses or interfaces are detected.
The 24H2 update will come preinstalled on Microsoft’s new Copilot Plus PCs and is anticipated to be available for existing machines by late September. This means that users who opt for a clean installation of Windows 11 or purchase a new PC with the 24H2 version will benefit from default BitLocker device encryption. However, users upgrading from a previous version to 24H2 will not see this feature enabled automatically.
While the introduction of automatic device encryption marks a positive step towards improved security, it may also have implications for SSD performance on certain devices. Testing conducted by Tom’s Hardware last year indicated that the software version of BitLocker could potentially slow drive performance by as much as 45 percent. Despite multiple inquiries to Microsoft regarding the performance impacts of enabling BitLocker device encryption by default, the company has only confirmed its plans through support documents without addressing these concerns.
For users opting to set up their devices with a local account, automatic device encryption can be bypassed. During the initial setup of a new machine, users will be prompted to sign in with a Microsoft account to complete the encryption process. Nevertheless, BitLocker can still be manually activated through the BitLocker Control Panel for those using local accounts. Additionally, users have the option to disable device encryption via a toggle in the privacy and security section of Windows 11’s settings interface.
In its quest to bolster security within Windows 11, Microsoft has implemented several measures, including the requirement for modern processors, Secure Boot, and Trusted Platform Module (TPM) chips. These requirements, while met with some controversy, have enabled the company to activate its virtualized Memory Integrity feature by default, providing enhanced protection against malicious code.