Microsoft is rolling BitLocker’s heavy lifting off the general-purpose CPU and into dedicated silicon — a change aimed at undoing years of storage slowdowns on fast NVMe drives.
Why BitLocker became a problem
Encryption isn’t new for Windows, but its cost has changed. For years Microsoft kept BitLocker crypto in software or relied on questionable drive-side implementations. As NVMe SSDs sprinted forward, the CPU suddenly spent a disproportionate amount of time doing AES work to keep up with tiny, frequent reads and writes. Microsoft’s own internal data (and independent tests) showed dramatic jumps in cycles-per-I/O when BitLocker ran in software — a shift that could turn a previously negligible overhead into a measurable bottleneck for gaming, large builds or video editing.
The move to default-enable software BitLocker on some fresh Windows 11 installs didn't help. Reports and tests suggested real-world throughput and battery life could suffer compared with drives using hardware crypto — and that drove customer frustration. There were also painful update moments in the recent past involving BitLocker recovery prompts after Windows updates, which made disk encryption front-and-center for many admins and users (how Microsoft’s updates have tripped BitLocker before).
What’s changing: fixed-function crypto and hardware-wrapped keys
At Ignite 2025 Microsoft announced a new model: BitLocker will use fixed-function crypto engines on supported SoCs to perform AES-XTS-256 encryption and decryption. Instead of passing every I/O through the CPU, Windows can hand off bulk crypto to a dedicated unit in the chip or, in some cases, to NVMe drives that expose trusted crypto offload capabilities.
The practical effects are straightforward: Microsoft’s early numbers and CrystalDiskMark comparisons show sequential transfers barely change, but small-block random I/O — the real-world stuff that matters for responsiveness — gets a big boost. In published tests, random 4K Q32T1 workloads showed roughly 2.3× throughput with hardware-accelerated BitLocker versus software-only, single-queue random reads improved by about 40%, and single-queue writes by roughly 2.1×. CPU cycles used for encryption workloads dropped by over 70% in those early lab runs, which also promises better battery life on laptops.
Security was part of the calculus too. Microsoft is emphasizing that keys can be “hardware-wrapped,” meaning the CPU and system RAM never directly hold raw keys for bulk encryption operations — a design intended to reduce exposure to memory-based or side-channel attacks that previously troubled some hardware crypto implementations.
Who gets it first — and when you’ll notice it
This isn’t a magical toggle you can flip on any machine today. The new hardware path requires SoC/CPU support. Microsoft is shipping the software-side support in Windows 11 (25H2) and Windows Server 2025 updates, but the first hardware platforms to advertise compatibility will be Intel vPro machines using the upcoming Core Ultra Series 3 “Panther Lake” processors. Other vendors are expected to follow, but broad adoption will lag as OEMs ship new SKUs.
If you want to check your system, run manage-bde -status from an elevated command prompt — the status output will indicate whether BitLocker is using hardware acceleration on supported devices. If your current PC doesn’t list hardware acceleration, you won’t see the speed-ups until you have one of the new chips or a compatible NVMe drive.
Why this matters for everyday users and admins
For many people, BitLocker historically added only single-digit overheads. For others — especially those with high-end NVMe storage and I/O-heavy workflows — the software crypto path became obvious when frame rates, compile times or application responsiveness dipped under load. Hardware-accelerated BitLocker narrows that gap: it preserves the security benefits of full-disk encryption without the same performance tax.
That said, BitLocker’s story has twists. Microsoft and the industry once pulled back from some hardware crypto because of vulnerabilities in vendor implementations. This time around, the approach aims to sidestep those pitfalls by keeping drivers and general-purpose CPU paths out of the critical loop and by using hardened wrapping for keys.
If you’re managing fleets, planning upgrades, or buying a new laptop in early 2026, this is a factor to consider alongside CPU, GPU and battery life. Windows 11’s 25H2 refresh and related changes to storage and driver stacks are already stirring broader conversations about update hygiene and performance — if you’re tuning a new PC, it’s worth reading guidance on the 25H2 experience and cleanup options published for the release (how to declutter Windows 11 25H2).
A pragmatic step forward
This is an evolution, not an overnight fix. It restores a model that once existed — hardware crypto for disk encryption — but does so with modern constraints: vetted hardware, key wrapping, and OS-level orchestration. For anyone who’s been bitten by BitLocker-related slowdowns, the future promise is simple: strong encryption, less CPU tax, and storage performance that actually keeps pace with today’s NVMe drives.
Whether you see the benefits this year depends on the hardware you buy. For everyone else, Microsoft’s change at least signals a willingness to reconcile security and performance rather than forcing a one-size-fits-all software model on modern PCs.