Microsoft has officially announced a major upgrade to its encryption technology with the introduction of hardware-accelerated BitLocker.
Revealed by Microsoft’s Rafal Sosnowski following the Ignite conference, this new feature is designed to solve performance bottlenecks that have plagued high-speed storage drives, ensuring that users no longer have to choose between robust security and system speed.
Addressing the NVMe Performance Gap
For years, BitLocker has been the standard for Windows data protection, but the rapid advancement of Non-Volatile Memory Express (NVMe) technology has created a new challenge.
Modern NVMe drives have become so fast that the main processor (CPU) struggles to encrypt and decrypt data in real-time without slowing down the system.
This “overhead” has become noticeable for users performing intensive tasks like high-end gaming, video editing, or compiling large codebases.
To address this, Microsoft’s new solution shifts the heavy lifting of encryption from the main CPU to a dedicated cryptographic engine within the system on a chip (SoC).
This “crypto offloading” frees up the main processor for other tasks, resulting in a smoother user experience and improved battery life.
Key Features and Benefits
The new hardware-accelerated BitLocker introduces two primary capabilities:
- Crypto Offloading: By moving bulk encryption tasks to a dedicated engine, Microsoft reports a 70% reduction in CPU usage compared to traditional software BitLocker. This allows storage performance to approach the speed of an unencrypted drive.
- Hardware-Protected Keys: Encryption keys are now “wrapped” in hardware by the SoC, adding a layer of protection against memory-based attacks. This moves Microsoft closer to its goal of completely removing encryption keys from the system’s main memory.
| Feature | How It Works |
|---|---|
| Crypto Offloading | Shifts encryption tasks from the main CPU to a dedicated cryptographic engine on the System on Chip (SoC). |
| Hardware-Protected Keys | Encryption keys are “wrapped” and protected directly by the hardware (SoC) rather than sitting exposed in system memory. |
| Default XTS-AES-256 | Automatically selects the robust XTS-AES-256 algorithm on supported hardware (NVMe drive + capable SoC). |
| Admin Verification | The manage-bde -status command line tool has been updated to detect and report this specific mode. |
Support for these features begins with the September 2025 update for Windows 11 (version 24H2) and the upcoming Windows 11 25H2 release.
The initial rollout will support upcoming Intel vPro devices featuring Intel Core Ultra Series 3 processors, with support for other hardware vendors planned for the future.
Users with compatible hardware can verify if the feature is active by running the command manage-bde -status as an administrator. If active, the “Encryption Method” will display as Hardware-accelerated.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.