Like its predecessor Windows 10, Windows 11 comes with device encryption, which helps protect your data by restricting access to it. When you turn on encryption, only people who are authorized to access the data can do so.
How Does Device Encryption Work? Explained in simple terms, Device Encryption prevents access to your data stored on a drive even if it is removed from your PC and installed on another system by someone else to access your data. This is because accessing the data requires a decryption key, in the absence of which, the contents of the drive will not make any sense to them.
Device Encryption relies on BitLocker to encrypt files, which means you need to save your BitLocker key to a USB drive or Microsoft account. You will not be able to access your data if the key is misplaced.
When you reinstall or reset the OS, Windows will ask for the BitLocker recovery key. By default, device encryption is not turned on when you first install Windows 11. However, that's about to change soon.
Microsoft will reportedly enable Device Encryption by default on the Pro and Home editions of Windows 11 when it releases version 24H2 in the second half of the year. In addition, automatic Device Encryption will be enabled when users set up their PC after resetting it.
The company has already enabled Device Encryption in Windows 11 24H2 RTM preview builds and has adjusted the requirements to ensure it is enabled by default when doing a fresh install of Windows.
However, we would like to highlight here that encryption is enabled by default only when doing a fresh install of Windows 11 version 24H2. If you're just upgrading from an older version, it will not be enabled by default.
Encryption On Windows 11 Home PCs
Unlike machines running on Windows 11 Pro, Windows 11 Home computers will be encrypted by manufacturers. Manufacturers will need to enable the BitLocker encryption flag in the UEFI for this purpose. This means custom-built PCs will not be affected.
That said if a computer has BitLocker functionality, a fresh install or reinstall will enable encryption with version 24H2. As with PCs on Windows 11 Pro, the C drive which contains system files as well as other drives will be encrypted.
Concerns Regarding BitLocker Encryption
From a safety perspective, encryption offers an added layer of security to your data and prevents unauthorized access, which can be quite advantageous. However, a major concern is the possibility of data loss. If you reinstall Windows and encryption is enabled by default without your knowledge, you may not be able to access your files.
Microsoft requires users to back up their BitLocker encryption key, but there is always the chance you may forget to do so or lose the key. Alternatively, you may lose access to the Microsoft account where the key is backed up. Since this key is also not accessible to Microsoft, it won't be able to help you out in such a situation.
Another concern is that BitLocker encryption can impact system performance, especially those with an SSD. SSD performance can drop by up to 45%, and using BitLocker software causes all encryption and decryption tasks to be performed by the CPU, further affecting performance.
Avoiding BitLocker Encryption When Reinstalling Windows
For BitLocker to be enabled, your system should meet certain hardware requirements, such as having UEFI and a TPM 1.2 or newer chip. Windows 11 checks for these requirements during installation, so if your machine supports the OS, it will have BitLocker enabled by default when you install or reinstall Windows.
Fortunately, there are ways by which you can circumvent encryption. The easiest way is to use Rufus, a software that creates bootable Windows ISOs. It can disable version 24H2's encryption while creating the installation image.
Another option is to use the Registry Editor to disable automatic encryption.
- To do so, open the command prompt during installation by pressing the
Shift + F10
shortcut. - Type
regedit
in the command prompt window and press the 'Enter' key to open the Registry Editor. - Navigate to the following address in the Registry Editor
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLocker
- On the right side, right-click and click on
New
>Dword (32-bit) Value
.
- Name the value 'PreventDeviceEncryption' and double-click on it. In the value field, enter 1 and then click on the 'OK' button. Close the Registry Editor.
With Microsoft looking to enable device encryption on Windows 11 by default with version 24H2, the OS will finally be at par with iOS and Android, which have enabled encryption for years. While it can provide additional security, the potential for data loss is incredibly high, meaning that not everyone will want their machines encrypted.
Fortunately, with registry hacks and tools like Rufus, you can get around encryption. On the other hand, if you prefer to have your device encrypted, make sure to keep your BitLocker key safe to prevent problems when reinstalling Windows.
Member discussion