Windows 11 24H2 restricts BitLocker permissions, enables automatic encryption for more computers

A Microsoft support representative shared details with Windows Latest about how Windows 11 24H2 is reducing the “requirements” for using BitLocker encryption, meaning more PCs are now eligible for both automatic and manual encryption. Internally, this is called Auto_DE, where “auto” stands for automatic and DE most likely refers to device encryption.

Starting with Windows 11 24H2, the update removes the need for certain hardware features that were previously required for automatic encryption. For example, the update no longer requires devices to have Hardware Security Test Interface (HSTI) or Modern Standby.

For those unaware, Modern Standby is one of the flagship features of premium devices that lets you instantly power on and off your devices like a mobile device. This was also required for device encryption in Windows 11, but that is no longer the case, meaning older hardware is also eligible for automatic or manual encryption.

Additionally, in Windows 11 24H2, there is no need to check for DMA (Direct Memory Access) interfaces that are considered untrusted, which means that manufacturers no longer need to add specific settings in the system registry.

These changes automatically update the Hardware Lab Kit (HLK) testing requirements so manufacturers do not need to take any additional action to meet the new standards.

Bitlocker is enabled when you reinstall Windows 11 24/7, whether you like it or not.

BitLocker is not a new feature and is typically enabled by default in Windows 11 version 23H2 on new flagship products such as the HP Spectre.

Currently, this option is not enabled by default on most devices, but this changes in Windows 11 24H2, which automatically enables encryption upon reinstallation.

Windows 11 24H2 BitLocker Device Encryption — BitLocker turned on automatically after reinstalling Windows 11 24H2 | Image courtesy of: WindowsLatest.com

During a fresh/clean Windows 11 24/7 installation process, BitLocker encryption is enabled in the background not only on Windows 11 Pro or later, but also on Windows 11 Home if the manufacturer has set a flag in UEFI.

It encrypts all hardware drives and affects two editions of Windows 11: Home and Pro (Professional).

Devices updated to Windows 11 24H2 via Windows Update are not affected.

For encryption to be enabled automatically, your device must have a Trusted Platform Module (TPM) and UEFI Secure Boot, which are also minimum hardware requirements for Windows 11.

Previously, devices also had to meet Modern Standby or HSTI standards and guarantee the absence of untrusted DMA interfaces, but in Windows 11 24H2 these requirements have been removed.

While automatic encryption begins during setup, it is fully activated only after you sign in with your Microsoft account.

Devices using local accounts will not have automatic encryption enabled, however users will still be able to manually enable BitLocker via the Control Panel.

The good news is that disabling BitLocker encryption during reinstallation is not difficult.

The easiest method is to create a bootable ISO image using Rufus USB, which has the ability to disable Windows 11 24H2 disk encryption.

Another method is to disable automatic encryption directly from the installation wizard. To do this, open the Registry via the command line (Shift + F10) and change the BitLocker “PreventDeviceEncryption” key to 1.

Windows 11 24H2 is scheduled to launch on Intel and AMD-based PCs in the second half of the year. Our sources say it will be late September or early October.