Microsoft’s Windows 11 update: BitLocker encryption by default
The world of digital technology is constantly evolving and today’s business enterprises need technology solutions to keep pace and get ahead of the game. But even the most sophisticated technology tools can be vulnerable to cyber disasters. And as developments in information technology continue to move forward, cyber security is a growing concern that every company/organization needs to address.
In a tech update seminar conducted by Advance Solutions Inc (ASI) in September 2023, Microsoft Philippines through its representative informed the audience about Bitlocker — a Windows disk encryption feature, designed to protect data by providing encryption for entire volumes. BitLocker addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned devices. Furthermore, its Windows 11 Pro has Application safeguards for its new set of security features such as the Smart App Control.
Today, Microsoft is making BitLocker device encryption a default feature in its next major update to Windows 11. If you clean install the 24H2 version that’s rolling out in the coming months, device encryption will be enabled by default when you first sign in or set up a device with a Microsoft account or work/school account. Device encryption is designed to improve the security of Windows machines by automatically enabling BitLocker encryption on the Windows install drive and backing up the recovery key to a Microsoft account or Entra ID.
In Windows 11 version 24H2, Microsoft is reducing the hardware requirements for automatic device encryption, opening it up to many more devices — including ones running the Home version of Windows 11. Device encryption no longer requires Hardware Security Test Interface (HSTI) or Modern Standby, and encryption will also be enabled even if untrusted direct memory access (DMA) buses / interfaces are detected.
The latest Windows 11 version 24H2 update comes preinstalled on Microsoft’s range of Copilot Plus PCs and is expected to be available on existing machines in late September. That means if you clean install Windows 11 later this year or buy a new PC with 24H2 installed, BitLocker device encryption will be enabled by default. If you just upgrade to 24H2, Microsoft won’t enable device encryption automatically.
You can avoid automatic device encryption if you’re using a local account on a clean Windows 11 version 24H2 install. When you first set up a new machine and log in with a local account, you’ll be prompted to sign in with a Microsoft account to finish encrypting the device. BitLocker can still be manually enabled using the BitLocker Control Panel on local accounts, though. You can also disable device encryption through a toggle in the privacy and security section of Windows 11’s settings interface.
Microsoft set out to improve security in Windows 11 in a meaningful way by requiring modern processors, Secure Boot, and TPM (Trusted Platform Module) chips. These requirements, while controversial, allowed Microsoft to also enable its virtualized Memory Integrity feature by default two years ago to better protect Windows 11 systems from malicious code.
