Microsoft is introducing a new version of BitLocker in Windows 11 that focuses on better performance and stronger security.
The update brings hardware acceleration to BitLocker, allowing encryption tasks to be handled more efficiently by modern processors and system hardware.
With hardware-accelerated BitLocker, encryption operations are offloaded to special components inside the system-on-a-chip. These components include hardware security modules and trusted execution environments that are designed to handle cryptographic tasks securely and efficiently. This reduces the workload on the CPU and helps the system run more smoothly overall.
On supported devices with NVMe drives and compatible processors, BitLocker will now use hardware acceleration with the XTS-AES-256 encryption algorithm by default. This applies whether BitLocker is enabled automatically, turned on manually, activated through company policies, or enabled using scripts, with a few specific exceptions.
Microsoft’s testing shows a clear improvement. Hardware-accelerated BitLocker used about 70 percent fewer CPU cycles per input and output operation compared to the software-based version. While actual performance gains depend on the hardware, users can expect lower CPU usage and better responsiveness, especially during demanding tasks.
Security also benefits from this change. Encryption keys are better protected because they stay within secure hardware instead of being exposed to system memory or CPU processes. This reduces the risk of certain cyberattacks and strengthens protection alongside the TPM. Microsoft says this approach moves BitLocker closer to a future where encryption keys are no longer present in CPU or memory at all.
The new BitLocker experience is available starting with Windows 11 version 24H2, as long as the September updates are installed. It will also be included in Windows 11 version 25H2. Initial support is rolling out on Intel vPro systems using Intel Core Ultra Series 3 processors, also known as Panther Lake. Microsoft plans to add support for more processors and system-on-a-chip platforms over time.
Users who want to check whether their device is using hardware-accelerated BitLocker can open Command Prompt and run the command manage-bde -status. If supported, the encryption method will show that hardware acceleration is enabled.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Microsoft notes that BitLocker will still fall back to software-based encryption in some situations. This can happen if unsupported encryption algorithms are chosen, custom key sizes are set, certain enterprise policies are enforced, or if FIPS mode is enabled without certified hardware support.
