Microsoft’s recent updates to Windows 11, specifically the 24H2 version, have introduced significant changes to the BitLocker encryption requirements, broadening accessibility for a wider range of PCs. This initiative, internally known as Auto_DE—where “auto” signifies automatic and “DE” likely stands for Device Encryption—aims to simplify the encryption process for users.
With the rollout of Windows 11 version 24H2, the necessity for certain hardware features that were previously mandatory for automatic encryption has been eliminated. Notably, devices are no longer required to possess the Hardware Security Test Interface (HSTI) or the Modern Standby feature, which was once a hallmark of premium devices. Modern Standby allowed devices to power on and off instantly, akin to mobile devices, but its removal as a requirement means that even older hardware can now benefit from automatic or manual encryption.
Furthermore, the update also abolishes the need to verify untrusted Direct Memory Access (DMA) interfaces, streamlining the process for manufacturers who no longer have to configure specific settings within the system registry. These adjustments automatically refresh the requirements in the Hardware Lab Kit (HLK) tests, alleviating manufacturers from any additional steps to comply with the new standards.
Bitlocker is turned on during the reinstallation of Windows 11 24H2, whether you like it or not.
BitLocker, while not a new feature, has traditionally been enabled by default on flagship devices running Windows 11 version 23H2, such as the HP Spectre. However, this changes with the introduction of Windows 11 24H2, which activates encryption automatically during the reinstallation process.
During a fresh installation of Windows 11 24H2, BitLocker encryption is engaged in the background, applicable not only to Windows 11 Pro but also to the Home edition, provided the manufacturer has enabled a specific flag in the UEFI settings. This encryption encompasses all drives on the device and impacts both the Home and Pro editions of Windows 11.
It is important to note that devices upgraded to Windows 11 24H2 via Windows Update will not have this automatic encryption feature activated. For automatic encryption to occur, a device must be equipped with a Trusted Platform Module (TPM) and UEFI Secure Boot, which are already stipulated as minimum hardware requirements for Windows 11. Previously, devices were also required to meet the standards of Modern Standby or HSTI and ensure the absence of untrusted DMA interfaces; however, these stipulations have been lifted in the latest update.
While the automatic encryption process initiates during setup, it only becomes fully operational once the user signs in with a Microsoft Account. Devices utilizing local accounts will not experience automatic encryption, though users retain the option to manually activate BitLocker through the Control Panel.
For those who prefer not to have BitLocker encryption enabled during reinstallation, the process to disable it is straightforward. One can create a bootable ISO using Rufus USB, which allows for the disabling of Windows 11 24H2’s drive encryption. Alternatively, users can disable automatic encryption directly from the installation wizard by accessing the Registry via the command prompt (Shift + F10) and adjusting the BitLocker “PreventDeviceEncryption” key to 1.
Windows 11 24H2 is anticipated to commence shipping on Intel and AMD PCs in the latter half of the year, with sources indicating a potential launch window in late September or early October.
