Microsoft plans to enhance BitLocker with hardware acceleration, reducing the performance impact that can occur on today’s high-speed computers. The change responds to a growing issue, where the raw speed of NVMe SSDs is increasingly limited by the processing demands of software-based encryption.
Microsoft outlined the update at Ignite last month and has now released more detailed technical information on its implementation. Rafal Sosnowski said the move to hardware-accelerated BitLocker is expected to result in “a significant improvement in performance and security.”
Modern NVMe SSDs can move data at speeds that cause BitLocker’s encryption processes to use a disproportionately high number of CPU cycles. Sosnowski explains that this added overhead can become a meaningful bottleneck in performance-sensitive scenarios.
Microsoft highlights tasks such as professional video editing, large-scale software compilation, and gaming as areas where users may feel the added computational load. As drive speeds rise, more CPU resources are required to sustain encryption, which can reduce the real-world gains of faster hardware.
The approach involves offloading much of the processing. Instead of relying only on the CPU, hardware-accelerated BitLocker will use a dedicated crypto engine integrated into the system’s SoC to handle most encryption operations.
This approach promises two advantages:
- Performance Gains: Microsoft claims a hardware-accelerated BitLocker volume can perform as fast as an unencrypted NVMe drive, while the CPU cycles needed for input/output (I/O) management drop “orders of magnitude lower” compared to software encryption.
- Enhanced Security: The feature uses a hardware-based “wrapping” procedure to shield encryption keys, adding an extra layer of protection against external threats by keeping keys isolated within the dedicated silicon.
The required software support is already built into Windows 11, beginning with the September 2025 Update (24H2) and continuing with the upcoming 25H2 release. Hardware compatibility, however, is limited for now, with the feature initially available only on Intel vPro systems running next-generation Core Ultra Series 3 processors.
Microsoft has stated it is “looking into extending support to other vendors and processor platforms” in the future.
To enable the feature, drives must be encrypted using the XTS-AES-256 algorithm, or other algorithms supported by the system-on-a-chip vendor in the future. Enterprise IT teams will remain in control, with the option to configure or disable hardware acceleration through group policy settings.
Maybe you would like other interesting articles?