KEY TAKEAWAYS
Applying BitLocker Auto-Encryption During Windows 11 Reinstallation: Microsoft will activate a new setup process that automatically enables BitLocker encryption starting from the Windows 11 24H2 update.
Impact on Windows 11 Pro and Home Users: This feature affects both Windows 11 Pro and Home users, but BitLocker encryption is only automatically applied through device manufacturers for Windows 11 Home.
Data Loss Risk if Backup Key is Not Saved: Losing the BitLocker encryption key can result in complete data loss, especially if users are unaware that encryption has been activated.
Impact on System Performance: BitLocker can reduce SSD performance, particularly when using software BitLocker instead of hardware BitLocker.
Cannot Disable BitLocker During Installation: Windows 11 checks hardware requirements such as TPM chips and UEFI, not allowing BitLocker to be disabled. However, there are workarounds using Rufus or editing the Registry.
Microsoft already enables BitLocker by default in Windows 11 23H2, but starting with Windows 11 24H2, Microsoft is apparently implementing a new setup process that automatically activates BitLocker encryption during reinstallation (as reported by Deskmodder.de). The new encryption process not only affects Windows 11 Pro users but also impacts Windows 11 Home users.
The caveat with Windows 11 Home is that BitLocker encryption is only applied through the device manufacturer, and only if the manufacturer enables the encryption flag in the UEFI. So, DIY PCs running Windows 11 Home probably won’t be affected.
Regardless, any Windows 11 version that has BitLocker functionality will now automatically have that activated/reactivated during reinstallations starting with 24H2. This behavior applies to clean installs of Windows 11 24H2 and system upgrades to version 24H2. Systems that upgrade to Windows 11 24H2 automatically have the Device Encryption flag turned on, but it only takes effect (for some reason) once Windows 11 24H2 is reinstalled on the machine. Not only is the C: drive encrypted, but all other drives connected to the machine will be encrypted as well during reinstallation.
To be clear, BitLocker encryption isn’t bad — it’s good to have for mission-critical devices to secure valuable information. However, data loss is a real concern for users who are unaware that drive encryption has been enabled during reinstallation. If anything storage-related goes wrong with a machine that has BitLocker turned on, users can lose all access to their drive contents due to encryption.
Microsoft virtually requires you to backup your BitLocker encryption key, for users that manually enable BitLocker in Windows 11/10 Pro, to make sure this type of situation doesn’t occur. But should you forget about the backup, or lose it, you could lose access to your data.
On top of this, BitLocker has been proven to impact system performance, particularly SSD performance. We tested BitLocker encryption last year and discovered SSD performance can drop by up to 45% depending on the workload. Even worse, if you are using the software form of BitLocker, all the encryption and decryption tasks get loaded onto the CPU, which can potentially reduce system performance as well. (Modern CPUs do have hardware-accelerated AES encryption/decryption, but there’s still a performance penalty attached.)
The good news is that disabling BitLocker encryption during a reinstallation isn’t difficult. The easiest method is to create a bootable ISO through Rufus USB, which has the ability to disable Windows 11 24H2’s drive encryption. Another method is to disable automatic encryption right from the installation wizard, which can be done by opening the Registry through the command prompt (Shift + F10) and changing the BitLocker “PreventDeviceEncryption” key to 1.