Windows 11 24H2: Microsoft Enforces Device Encryption by Default
The device encryption feature in Windows 10/11 was originally an optional function, with some OEMs enabling it on laptops and other devices to enhance security. Device encryption is based on Microsoft’s BitLocker encryption technology.
Although enabling device encryption can impact hard drive performance, Microsoft, prioritizing security, is now preparing to enable device encryption by default. To facilitate this, Microsoft has lowered the hardware requirements, allowing more devices to support this feature.
Starting with the Windows 11 24H2 update, set to be released in October, device encryption will be enabled by default during the initial system setup when users perform a fresh installation, login, and set up their device using a Microsoft account, or a work or school account.
To broaden the scope of devices that can utilize encryption, Microsoft has relaxed the requirements. For instance, Windows 11 Home Edition will now automatically enable device encryption without requiring the Hardware Security Test Interface (HSTI) or Modern Standby. Even if an untrusted Direct Memory Access (DMA) bus/interface is detected, encryption will still be activated.
When device encryption is enabled, the BitLocker recovery key will be automatically saved to the user’s Microsoft account. However, if a local account is being used, Microsoft will prompt the user to back up the recovery key, with options to print it or save it to a USB drive.
In the future, if any issues arise with the device or if the user forgets the decryption key, the BitLocker recovery key will be required. Users can retrieve the key directly from their Microsoft account center and manually enter it to unlock the device.
Will encryption be enabled when upgrading from an older version? No, at least for now, Microsoft has mentioned that encryption will only be enabled by default during a fresh installation. However, after upgrading, users can manually enable device encryption, which will help enhance security.
Enabling encryption does significantly impact performance, particularly on solid-state drives. Microsoft has not addressed this issue, likely considering that the slight performance sacrifice is acceptable in exchange for enhanced security.
If your device didn’t automatically enable Device Encryption, here are the steps to enable it:
- Sign in to Windows with an administrator account
- In the Settings app on your Windows device, select Privacy security > Device encryption. Note: If Device encryption doesn’t appear, it’s either unavailable on your device, or you might be signed in with a standard user account.
- Use the toggle button to turn Device Encryption On
