Windows 11 24H2 will enable BitLocker encryption for everyone — happens on both clean installs and reinstalls

News
By
published

You can still manually disable encryption if desired.

Microsoft teases Windows 11's launch date
(Image credit: Microsoft)

Microsoft already enables BitLocker by default in Windows 11 23H2, but starting with Windows 11 24H2, Microsoft is apparently implementing a new setup process that automatically activates BitLocker encryption during reinstallation (as reported by Deskmodder.de). The new encryption process not only affects Windows 11 Pro users but also impacts Windows 11 Home users.

The caveat with Windows 11 Home is that BitLocker encryption is only applied through the device manufacturer, and only if the manufacturer enables the encryption flag in the UEFI. So, DIY PCs running Windows 11 Home probably won't be affected.

Regardless, any Windows 11 version that has BitLocker functionality will now automatically have that activated/reactivated during reinstallations starting with 24H2. This behavior applies to clean installs of Windows 11 24H2 and system upgrades to version 24H2. Systems that upgrade to Windows 11 24H2 automatically have the Device Encryption flag turned on, but it only takes effect (for some reason) once Windows 11 24H2 is reinstalled on the machine. Not only is the C: drive encrypted, but all other drives connected to the machine will be encrypted as well during reinstallation.

To be clear, BitLocker encryption isn't bad — it's good to have for mission-critical devices to secure valuable information. However, data loss is a real concern for users who are unaware that drive encryption has been enabled during reinstallation. If anything storage-related goes wrong with a machine that has BitLocker turned on, users can lose all access to their drive contents due to encryption.

Microsoft virtually requires you to backup your BitLocker encryption key, for users that manually enable BitLocker in Windows 11/10 Pro, to make sure this type of situation doesn't occur. But should you forget about the backup, or lose it, you could lose access to your data.

On top of this, BitLocker has been proven to impact system performance, particularly SSD performance. We tested BitLocker encryption last year and discovered SSD performance can drop by up to 45% depending on the workload. Even worse, if you are using the software form of BitLocker, all the encryption and decryption tasks get loaded onto the CPU, which can potentially reduce system performance as well. (Modern CPUs do have hardware-accelerated AES encryption/decryption, but there's still a performance penalty attached.)

The good news is that disabling BitLocker encryption during a reinstallation isn't difficult. The easiest method is to create a bootable ISO through Rufus USB, which has the ability to disable Windows 11 24H2's drive encryption. Another method is to disable automatic encryption right from the installation wizard, which can be done by opening the Registry through the command prompt (Shift + F10) and changing the BitLocker "PreventDeviceEncryption" key to 1.

Aaron Klotz
Aaron Klotz
Freelance News Writer

Aaron Klotz is a freelance writer for Tom’s Hardware US, covering news topics related to computer hardware such as CPUs, and graphics cards.

29 Comments Comment from the forums
  • -Fran-
    Such a risky and important setting should not be turned on by default; I hope Microsoft does the usual "are you sure? are you absolutely sure? really really sure?" trio of questions for this instead. Specially when there's risk of data loss (very real and tangible one) if something does go wrong with the keys.

    I hope this is not a "don't you guys have Phones Internet?" and push for online backups instead to upsell OneDrive or whatever they call it now. Nowadays, even the more asinine and tinfoil hat takes, are feasible >_<

    Regards.
    Reply
  • hotaru251
    ....isn't this the encryption that if you lose key & end up haivng to fix issue you basically can no longer recover that stuff if you forget key?

    that can't POSSIBLY backfire for ppl not in the know...
    Reply
  • Makaveli
    I agree if I was on Win 11 Pro I would be disabling it. I've seen how much trouble bit-locker can be when in a corp environment and you need to recover data etc.
    Reply
  • Aurn
    That’s really bad, I don’t want to use BitLocker. I’m a little confused : when I update from 23H2 to 24H2 (Pro version with local account), it won’t automatically turn BitLocker on until I reinstall Windows? (I will use Rufus anyway if I need to reinstall completely.). If not, how do you prevent BitLocker from turning on when upgrading to 24H2?
    Reply
  • Alvar "Miles" Udell
    Microsoft virtually requires you to backup your BitLocker encryption key, for users that manually enable BitLocker in Windows 11/10 Pro, to make sure this type of situation doesn't occur. But should you forget about the backup, or lose it, you could lose access to your data.

    That's why the "Backup key to Microsoft Account" option exists. You know, the thing -everyone- should use but so many whine and complain they have to despite having to use a Google or Apple account on their phones, and a host of other accounts with other services they use...
    Reply
  • -Fran-
    Alvar Miles Udell said:
    That's why the "Backup key to Microsoft Account" option exists. You know, the thing -everyone- should use but so many whine and complain they have to despite having to use a Google or Apple account on their phones, and a host of other accounts with other services they use...
    Read what you just said here: you're willingly giving Microsoft the Key to your data (in a literal sense, even).

    Read that again, very slowly.

    Now just accept there's plenty people that is not ok with that, me included.

    Regards.
    Reply
  • USAFRet
    -Fran- said:
    Read what you just said here: you're willingly giving Microsoft the Key to your data (in a literal sense, even).

    Read that again, very slowly.

    Now just accept there's plenty people that is not ok with that, me included.

    Regards.
    What makes you think that is not already the case, with regular Windows Updates?
    Or any other OS?
    In the course of a standard Update, the drive and data are already "unlocked".
    Reply
  • Alvar "Miles" Udell
    -Fran- said:
    Read what you just said here: you're willingly giving Microsoft the Key to your data (in a literal sense, even).

    Read that again, very slowly.

    Now just accept there's plenty people that is not ok with that, me included.

    Regards.

    Now all someone from Microsoft would need is both your recovery key, which is no doubt stored in hashed form and inaccessible by employees, AND physical access to the hard drive in question! The chances of that happening have to be, what, one in...infinity - 1!

    And like USAFRet said, once you plug a Bitlocker encrypted drive into the computer it was locked on and input the password (if external) or just turn on the computer (if internal), it's unlocked for full access, if someone had backdoor access to your machine, or has your login credentials or access card/key, Bitlocker is useless. It's really only there to protect a drive against being stolen and used in another machine.
    Reply
  • 35below0
    Aurn said:
    That’s really bad, I don’t want to use BitLocker. I’m a little confused : when I update from 23H2 to 24H2 (Pro version with local account), it won’t automatically turn BitLocker on until I reinstall Windows? (I will use Rufus anyway if I need to reinstall completely.). If not, how do you prevent BitLocker from turning on when upgrading to 24H2?
    You disable it in options.

    From the article sub headline:
    You can still manually disable encryption if desired.Thanks for not including this in the headline. No chance it will stress people out.
    Also in the article:
    "The caveat with Windows 11 Home is that BitLocker encryption is only applied through the device manufacturer, and only if the manufacturer enables the encryption flag in the UEFI. So, DIY PCs running Windows 11 Home probably won't be affected.

    Regardless, any Windows 11 version that has BitLocker functionality will now automatically have that activated/reactivated during reinstallations starting with 24H2. This behavior applies to clean installs of Windows 11 24H2 and system upgrades to version 24H2. Systems that upgrade to Windows 11 24H2 automatically have the Device Encryption flag turned on, but it only takes effect (for some reason) once Windows 11 24H2 is reinstalled on the machine. Not only is the C: drive encrypted, but all other drives connected to the machine will be encrypted as well during reinstallation.    "

    So it's likely any custom built PCs will be unaffected.
    Upgrades to 1124H2 will have the Device Encryption flag turned on, but drives will not be encrypted unless 1124H2 is reinstalled ???? ok , this i don't get.
    All drives will be encrypted. Presumably before the user has a chance to stop or confirm it. But we don't know.

    Ultimately, it can be switched off.


    One more thing. I don't think i have bitlocker installed anywhere on 1123H2. I may have uninstalled it.
    No idea whether it will be reinstalled, probably yes.
    But it will be uninstalled if that ever happens. For now, i don't want to stress over it.
    Reply
  • salgado18
    No, no, no. Full drive encryption should only ever be enabled by the user's request, ESPECIALLY on the Pro edition. At most, the instalation should ask if it should enable BitLocker, explain the benefits and risks, and obey the user's choice.

    What's next, they'll force the user to create an online account, with all the terms, conditions and requirements that come with those, just to install an operating system in a computer? Serve ads on a paid product? Install all of Microsoft's free bloatware automatically with Windows, including those that change the location of basic folders and become a hassle to revert back (looking at you, One Drive)?

    Seriously, Microsoft is way out of limits here.
    Reply