[BitLocker](https://amzn.to/48RnCkc) has long been one of Windows’ most important security features. It encrypts your drives so that even if someone steals your laptop or removes the storage, your data stays unreadable. For years, though, it came with a trade-off. Strong encryption meant giving up some performance, especially on faster storage.
That balance is about to change.
Starting with clean installs of Windows 11 version 24H2, BitLocker encryption is enabled by default. While you can still turn it off, Microsoft’s latest announcement makes a strong case for leaving it on.
https://www.youtube.com/embed/lVqg079JgrA
According to Microsoft, BitLocker’s performance overhead historically stayed under 10%. That was fine when storage was slower, and CPUs had plenty of headroom.
Modern NVMe drives changed the equation.
As I/O speeds increased, the CPU became an increasingly limiting bottleneck. BitLocker relies on the processor to handle cryptographic operations. With high-speed storage, it simply can’t keep up without consuming noticeable CPU time. Users feel that slowdown, especially during heavy disk activity, and they don’t like it.
To fix this, Microsoft is introducing hardware-accelerated BitLocker. This new approach offloads much of the work from the CPU to specialised hardware inside the system.
This design focuses on two significant capabilities.
Instead of running encryption tasks on the main CPU, BitLocker shifts bulk cryptographic operations to a dedicated crypto engine built into the system-on-chip. The result is straightforward. The CPU is freed up for other tasks, disk performance improves, and battery life benefits because the processor isn’t being hammered by encryption work.
With proper SoC support, BitLocker’s bulk encryption keys can now be hardware-protected. This reduces their exposure to CPU and memory-based attacks. Combined with the already-supported Trusted Platform Module, which protects intermediate keys, Microsoft is moving toward a future where BitLocker keys never need to touch system memory.
Microsoft’s internal benchmarks show a dramatic gap between traditional software-based BitLocker and the new hardware-accelerated version. Across both sequential and random read-write workloads, hardware acceleration consistently wins.
On average, Microsoft reports around 70% fewer CPU cycles used when hardware acceleration is enabled. In practical terms, that makes BitLocker feel almost invisible, closer to running without encryption.
The numbers from CrystalDiskMark help illustrate why this matters. In SEQ1M Q1T1 testing, software BitLocker reached read speeds of about 1632 MB/s, while hardware-accelerated BitLocker hit 3746 MB/s on the same machine. Write speeds showed a similar jump, climbing from 1513 MB/s to 3530 MB/s.
That’s more than double the performance in some cases, and it clearly shows how removing the CPU bottleneck changes everything. Random read and write tests also saw significant gains.
Initial support is coming to upcoming Intel vPro systems powered by Intel Core Ultra Series 3 processors. Microsoft says this is only the start. As the technology matures, hardware-accelerated BitLocker will expand to all “capable” PCs.
This version of BitLocker uses the XTS-AES-256 encryption algorithm by default and requires Windows 11 version 24H2 or later. There are some scenarios where it won’t apply, such as certain storage or configuration setups. Microsoft has outlined those limitations in detail on its Tech Community blog.
For a long time, BitLocker was something power users and IT departments enabled with caution. It was secure, but you paid for it with speed. Hardware-accelerated BitLocker changes that equation.
With encryption becoming the default in Windows 11 and performance penalties shrinking to near-zero on supported hardware, the old argument against full-disk encryption is losing ground. Better security, faster storage performance, and improved battery life are a rare combination, but that’s precisely what Microsoft is aiming for here.
If this rollout goes as planned, leaving BitLocker enabled may soon be the easiest decision Windows users ever make.
That balance is about to change.
Starting with clean installs of Windows 11 version 24H2, BitLocker encryption is enabled by default. While you can still turn it off, Microsoft’s latest announcement makes a strong case for leaving it on.
https://www.youtube.com/embed/lVqg079JgrA
Why BitLocker Started Falling Behind
According to Microsoft, BitLocker’s performance overhead historically stayed under 10%. That was fine when storage was slower, and CPUs had plenty of headroom.
Modern NVMe drives changed the equation.
As I/O speeds increased, the CPU became an increasingly limiting bottleneck. BitLocker relies on the processor to handle cryptographic operations. With high-speed storage, it simply can’t keep up without consuming noticeable CPU time. Users feel that slowdown, especially during heavy disk activity, and they don’t like it.
The Shift to Hardware-Accelerated BitLocker
To fix this, Microsoft is introducing hardware-accelerated BitLocker. This new approach offloads much of the work from the CPU to specialised hardware inside the system.
This design focuses on two significant capabilities.
Crypto offloading
Instead of running encryption tasks on the main CPU, BitLocker shifts bulk cryptographic operations to a dedicated crypto engine built into the system-on-chip. The result is straightforward. The CPU is freed up for other tasks, disk performance improves, and battery life benefits because the processor isn’t being hammered by encryption work.
Hardware-protected keys
With proper SoC support, BitLocker’s bulk encryption keys can now be hardware-protected. This reduces their exposure to CPU and memory-based attacks. Combined with the already-supported Trusted Platform Module, which protects intermediate keys, Microsoft is moving toward a future where BitLocker keys never need to touch system memory.
The Performance Gains Are Hard to Ignore
Microsoft’s internal benchmarks show a dramatic gap between traditional software-based BitLocker and the new hardware-accelerated version. Across both sequential and random read-write workloads, hardware acceleration consistently wins.
On average, Microsoft reports around 70% fewer CPU cycles used when hardware acceleration is enabled. In practical terms, that makes BitLocker feel almost invisible, closer to running without encryption.
The numbers from CrystalDiskMark help illustrate why this matters. In SEQ1M Q1T1 testing, software BitLocker reached read speeds of about 1632 MB/s, while hardware-accelerated BitLocker hit 3746 MB/s on the same machine. Write speeds showed a similar jump, climbing from 1513 MB/s to 3530 MB/s.
That’s more than double the performance in some cases, and it clearly shows how removing the CPU bottleneck changes everything. Random read and write tests also saw significant gains.
What Hardware Is Supported First
Initial support is coming to upcoming Intel vPro systems powered by Intel Core Ultra Series 3 processors. Microsoft says this is only the start. As the technology matures, hardware-accelerated BitLocker will expand to all “capable” PCs.
This version of BitLocker uses the XTS-AES-256 encryption algorithm by default and requires Windows 11 version 24H2 or later. There are some scenarios where it won’t apply, such as certain storage or configuration setups. Microsoft has outlined those limitations in detail on its Tech Community blog.
Why This Matters for Everyday Users
For a long time, BitLocker was something power users and IT departments enabled with caution. It was secure, but you paid for it with speed. Hardware-accelerated BitLocker changes that equation.
With encryption becoming the default in Windows 11 and performance penalties shrinking to near-zero on supported hardware, the old argument against full-disk encryption is losing ground. Better security, faster storage performance, and improved battery life are a rare combination, but that’s precisely what Microsoft is aiming for here.
If this rollout goes as planned, leaving BitLocker enabled may soon be the easiest decision Windows users ever make.