Microsoft has unveiled an innovative approach to BitLocker encryption in Windows 11, leveraging hardware acceleration to enhance both performance and efficiency. This new feature, first revealed at Ignite 2025 in November, is now integrated into the latest versions of Windows 11 (25H2) and Windows Server (2025 with the September Update). It also incorporates UFS (Universal Flash Storage) Inline Crypto Engine technology, which aims to alleviate the performance drawbacks previously associated with software-based encryption.
Performance Enhancements
Historically, software-based BitLocker encryption has been the default for new installations of Windows 11 Pro, resulting in a potential reduction in SSD performance by as much as 45%. This is due to the encryption and decryption processes being managed by the CPU, which can burden system resources. However, with the introduction of hardware-accelerated BitLocker, Microsoft is poised to reverse these performance penalties. The new technology promises to deliver up to twice the storage performance in certain workloads, a significant improvement for users.
Currently, hardware-accelerated BitLocker is available for storage devices where encryption offloading is managed directly on the device itself, whether it be an SSD or HDD, provided that it meets TCG Opal compliance. Most modern SSDs already feature hardware-based encryption, allowing for seamless processing of encryption and decryption without impacting performance.
Looking ahead, Microsoft plans to implement a new hardware-accelerated BitLocker solution that will utilize upcoming Intel Core Ultra series 3 “Panther Lake” CPUs, specifically on devices equipped with Intel vPro platforms. This new implementation will harness advanced capabilities found in these chips, including crypto offloading, which shifts the majority of cryptographic operations from software on the CPU to a dedicated crypto engine.
In a recent blog post, Microsoft’s Rafal Sosnowski noted, “When enabling BitLocker, supported devices with NVMe drives along with one of the new crypto offload capable SoCs will use hardware-accelerated BitLocker with the XTS-AES-256 algorithm by default.” This encompasses various methods of enabling BitLocker, including automatic device encryption and policy-driven enablement, with certain exceptions.
According to Microsoft, the hardware-accelerated BitLocker is expected to yield notable performance gains in storage and I/O metrics, such as sequential and random read and write speeds. Users can anticipate a reduction of up to 70% in CPU cycles needed for processing BitLocker workloads, which could lead to enhanced battery life for mobile devices.
Performance test results shared by the company reveal a striking contrast between software-based and hardware-accelerated BitLocker encryption. For instance, a drive utilizing software-based encryption achieved read speeds of 1632 MB/s in single-thread sequential workloads, whereas a drive with hardware-based encryption reached speeds of 3746 MB/s. Write speeds similarly improved from 1510 MB/s to 3530 MB/s.
While hardware-accelerated BitLocker is currently designated for future Windows PCs, its introduction marks a significant shift in Microsoft’s approach to encryption on modern hardware. As the technology matures, widespread adoption is anticipated, paving the way for a more efficient and secure computing experience.
