Microsoft is introducing a new hardware-accelerated BitLocker encryption system for Windows 11 that moves cryptographic work from software running on the main CPU to dedicated accelerator units built into future CPU microarchitectures. The company is addressing longstanding complaints about performance penalties from software-based BitLocker, which in Windows 11 has historically imposed a steep cost on storage operations. In Windows 11 going from no BitLocker to software-based BitLocker has caused average number of cycles per I/O to skyrocket from roughly 400,000 cycles to about 1.9 million cycles, and this 375% increase in cycles per I/O can cause significant storage performance degradations.
The hardware acceleration capability, announced at Ignite 2025 in November, is now shipping in Windows 11 version 25H2 and Windows Server 2025 through the September update. Early testing cited by Microsoft indicates that some workloads experience double the storage performance while reducing CPU usage by over 70%, which suggests that the bulk of encryption overhead is being shifted away from general-purpose cores. By offloading AES-XTS-256 encryption processing to a fixed-function cryptography engine embedded within the SoC, the new design aims to preserve strong data protection while minimizing latency and throughput penalties that previously discouraged some users from enabling full disk encryption.
Security design is also central to the update, with encryption keys now hardware-wrapped to improve resilience against memory-based attacks that attempt to extract secrets from system RAM. Microsoft is initially targeting Intel vPro platforms featuring the upcoming Core Ultra Series 3 “Panther Lake” processors for the first wave of support, reflecting the need for compatible on-die accelerators in the CPU. The company states that it intends to extend this hardware-accelerated BitLocker approach to other vendors as additional platforms integrate suitable cryptographic engines, pointing to a broader ecosystem shift toward hardware-driven security features in Windows installations.
