Microsoft’s Hardware-Accelerated BitLocker Doubles NVMe Performance

Microsoft released hardware-accelerated BitLocker encryption in Windows 11‘s September 2025 update, offloading encryption operations from the CPU to dedicated silicon and eliminating the performance penalty that has plagued full-disk encryption for two decades. Internal benchmarks show sequential read speeds more than doubling — from 1,633 MB/s with software BitLocker to 3,747 MB/s with hardware acceleration — while reducing CPU cycle consumption by approximately 70% and extending laptop battery life on systems with compatible Intel Core Ultra Series 3 processors.

The feature automatically activates on supported devices running Windows 11 24H2 or 25H2 when NVMe drives pair with crypto-offload-capable system-on-chips (SoCs), using the XTS-AES-256 encryption algorithm by default. Users can verify hardware acceleration status by running manage-bde -status in an administrator command prompt; the “Encryption Method” field will display “XTS-AES 256 (Hardware accelerated)” if the feature is active rather than standard software-based encryption.

The Performance Problem Hardware Acceleration Solves

Microsoft made software-based BitLocker encryption the default configuration for clean Windows 11 Pro installations starting with version 24H2, addressing security concerns but introducing substantial performance degradation. Tom’s Hardware’s testing documented that software BitLocker reduces SSD performance by up to 45% as encryption and decryption operations consume CPU resources that could otherwise handle application workloads, creating bottlenecks particularly noticeable during gaming, video editing, and large file transfers.

How Crypto Offloading Works

Hardware-accelerated BitLocker relies on two complementary silicon capabilities now appearing in next-generation processors. First, crypto offloading shifts bulk encryption/decryption from general-purpose CPU cores to a dedicated AES-XTS hardware engine on the SoC, freeing processor resources for application tasks. Second, hardware-protected keys ensure the Data Encryption Key (DEK) never appears in plaintext in system RAM, remaining wrapped inside a secure enclave that handles encryption operations without exposing the key to potential memory-based attacks.

This architecture complements rather than replaces the Trusted Platform Module (TPM), which has traditionally protected BitLocker’s intermediate keys. Microsoft describes the combined approach as putting Windows “on a path to completely eliminate BitLocker keys from the CPU and memory,” addressing a longstanding vulnerability where sophisticated attackers could potentially extract encryption keys from RAM through cold boot attacks or DMA-based exploits.

Current Hardware Support and Availability

Intel’s upcoming Core Ultra Series 3 processors—codenamed Panther Lake and expected in mid-2026—provide the initial platform support for hardware-accelerated BitLocker, specifically in vPro business configurations. Microsoft’s announcement confirms plans to expand compatibility to other vendors and processor platforms but provides no specific timeline for AMD, Qualcomm Snapdragon, or other architectures. Existing systems, including those with current-generation Intel Core Ultra Series 2 (Lunar Lake) or AMD Ryzen processors, lack the necessary SoC crypto engines and cannot use this feature despite running compatible Windows 11 versions.

The software components enabling hardware acceleration shipped in Windows 11 builds 26100.6584 (24H2) and 26200.6584 (25H2) via the September 2025 cumulative update KB5065426. However, the feature remains dormant on incompatible hardware, silently falling back to software-based BitLocker without user notification. This phased rollout strategy mirrors Microsoft’s approach with other silicon-dependent features like Pluton security processors, where OS support precedes widespread hardware availability by 12-18 months.

Follow us on Bluesky, LinkedIn, and X to Get Instant Updates