I heard that the Windows 11 24H2 will enable BitLocker Device Encryption for all devices by default. But I believe that I really don’t need this feature, can I disable it during Windows 11 installation?
Of course you can. Since Windows 11 24H2, the full-disk Drive Encryption will be enabled by default, whether you’re in Home or Pro Edition. And it won’t notice the users during the installation process.
After installation, when login into their Microsoft account, the system will automatically save the BitLocker Recovery key to account. You can find it from the Microsoft Account website.
1. In Windows 11 24H2, the Microsoft has reduced many hardware requirements, including Hardware Security Test Interface (HSTI) and Modern Standby feature.
2. The Device Encryption needs supports of Trusted Platform Module (TPM) and UEFI Secure Boot. Both of them are the Hardware requirements for Windows 11.
3. Then Device Encryption process will begin at OOBE phase, but it’s only fully activated after logging into Microsoft Account. The Devices which using a Local Account, will not be enabled by default, but you can turn it on by yourself.
4. Devices that upgraded to Windows 11 24H2 through Windows Update, will not automatically encrypt the hard drive.
We might not notice that the system is already encrypted in our daily use. The BitLocker enabled by default in Windows 11 24H2 is automatically unlocked, without needing any password entry. It mainly relies on system TPM protection.
While we manually enable BitLocker Encryption in Windows, it requires us setting a specific password and backing up the recovery key to a custom location, then we know where to find our own BitLocker Recovery Key.
Everything will work well with BitLocker auto encryption, but if you accidentally modify the system BIOS settings, perform a system reset, or during a system upgrade, you might encounter the BitLocker Recovery Screen, which prompts you to enter the BitLocker Recovery Key.
Note: If users log in with a local account rather than a Microsoft account, as the recovery key has not been saved in Microsoft account, the drives will remain BitLocker waiting for activation, you can turn it off directly.
Here are methods to help you disable BitLocker encryption during Windows 11 installation or to manually turn off encryption after the installation is complete.
As we said earlier, the BitLocker auto encryption begin at OOBE, so we can disable it now:
Step 1 Follow the Installation guide until it turns to OOBE Settings.
Step 2 Press Shift + F10 to open Command Prompt Window.
Step 3 Type "regedit" and press Enter to open Registry Editor. And then navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLocker
Step 4 Create a new DWORD (32-bit), named it to "PreventDeviceEncryption".
Double click on it, set its value to "1".
Step 5 Close the Windows, and back to OOBE settings, follow the guide to finish Windows 11 installation.
Step 6 After finished, go to Settings > Privacy & Security > Device Encryption, you can see the device encryption is disabled.
You can use a Windows 11 bootable USB drive to install a new copy of Windows 11 and perform a fresh installation or reinstallation. And with Rufus provides disable BitLocker automatic device encryption when creating bootable USB.
Before starting, make sure the USB drive has a capacity of at least 8GB, and prepare the Windows 11 24H2 installation image. And then follow the steps:
Step 1 Download Rufus and double click the executable file to run it.
Step 2 Select your USB flash drive in the "Device" section from the dropdown list.
Step 3 Click "Select" button to open and choose the downloaded Windows 11 installation image.
Step 4 Keep other options default, and then click on "Start" button.
Step 5 Most importantly, check "Disable BitLocker automatic device encryption" in the pop-up window and other options you need. Then click "OK".
Step 6 Confirm to format the USB drive and wait the writing process to complete.
Notes: When using this USB drive to install the Windows 11 24H2 system, it will automatically bypass device encryption process.
If you haven’t configured your system with previous methods, and the Device Encryption process is already turned on, you can also have chances to turn it off.
Step 1 Press Win + I to open Windows settings.
Step 2 Go to Privacy & Security section, and then Device Encryption.
Step 3 Toggle off the Device Encryption option. When a Window pops up, click on "Turn off".
Step 4 Wait the Decryption process to complete.
No, Device Encryption is really just a lite version of BitLocker, which can only apply encryption to Windows system drive. You can check the difference below.
Michael
Hmm, I had the same issue before. After researching, I learned that Device encryption does not support all devices. To enable it, your computer needs to meet certain conditions.
Benjamin
The error code 0x8031004A when backing up files indicates that there’s something wrong with your device, you can change another drive for file backup.
Lydia
Don’t worry, it’s easy to retrieve your BitLocker Bek File from the file system and use this BitLocker Bek File to unlock your drive.
Lydia
