Microsoft Confirms Default Enablement of BitLocker Device Encryption for Enhanced Security in Windows 11 24H2 Release
Brook.X
Originally an optional feature, the device encryption functionality on Windows 10/11, primarily based on Microsoft BitLocker encryption technology, was selectively enabled by some OEMs in laptops and other devices to enhance security. Despite the potential impact on hard drive performance, Microsoft has decided to make device encryption a default setting, lowering hardware requirements to enable more devices to utilize this security feature.
Scheduled for release in October, the Windows 11 24H2 update will automatically enable device encryption when users perform a fresh system installation and log in for the first time using their Microsoft, work, or school accounts.
To expand the availability of this encryption feature, Microsoft has relaxed the requirements. For instance, Windows 11 Home Edition will now automatically enable device encryption without the need for a Hardware Security Test Interface (HSTI) or modern standby capabilities, even if untrusted Direct Memory Access (DMA) buses/interfaces are detected.
Upon activation, the BitLocker recovery key is automatically saved to the user's Microsoft account. For those using local accounts, Microsoft will prompt users to back up their recovery key, suggesting they print it out or save it to a USB drive.
Should there be issues with the device or if users forget their decryption key, the BitLocker recovery key can be retrieved from the Microsoft account center and manually entered into the device for unlocking.
What about upgrades from older versions? At least for now, Microsoft has stated that encryption will only be enabled by default for fresh installations. However, users who upgrade can manually opt-in for device encryption (already possible, though not supported on all devices), enhancing their security.
The impact of enabling encryption, particularly on the performance of solid-state drives, has not been explicitly addressed by Microsoft, which seemingly suggests a trade-off between security and performance is acceptable.
The device encryption option can be found under: Windows 10/11 Settings, Privacy & Security, Device Encryption. If this option is not visible, it indicates your device does not support this feature.
