How to stop automatic BitLocker Device Encryption during install on Windows 11

Microsoft will start enforcing encryption during installation with Windows 11, but you can keep the security feature disabled with these workarounds.

Avatar for Mauro Huculak
By (@Pureinfotech) , Windows How-To Expert and IT Specialist with 22 years of experience.
Windows 11 Device Encryption / Image: Mauro Huculak & Gemini
Windows 11 Device Encryption / Image: Mauro Huculak & Gemini
  • Windows 11 now enables Device Encryption automatically during installation.
  • You can prevent the setup from enabling encryption by creating a custom USB bootable media with Rufus or by modifying the Registry during installation.
  • Alternatively, you can disable the Device Encryption feature on the Pro and Home editions in the Settings app after installation.

On Windows 11, Microsoft automatically enables encryption during operating system installation for both Pro and Home editions using the “Device Encryption” feature. However, if you prefer not to use this security feature, you have a few workarounds to install the operating system without encryption or to turn it off after setup.

What is Device Encryption?

Device Encryption is a security feature designed to protect your files by encrypting the entire system drive. This ensures your data remains secure and inaccessible to unauthorized users, even if the device is lost or stolen.

On Windows 11, the feature uses the Advanced Encryption Standard (AES) to encrypt documents, photos, and any data on the computer. It converts data into a format that cannot be read without the correct decryption key, helping protect data from unauthorized access.

In the past, computers were required to meet either the Modern Standby or the Hardware Security Test Interface (HSTI) security requirements, but starting with version 24H2 and later, the company is relaxing the requirements to enable encryption on more devices. Also, the latest version of the operating system doesn’t check untrusted Direct Memory Access (DMA) interfaces.

BitLocker vs. Device Encryption

BitLocker and Device Encryption are both security features that provide drive encryption. The difference is that BitLocker is a full-featured encryption tool available only on Windows 11 Pro, Enterprise, and Education.

On the other hand, Device Encryption is a simplified version of BitLocker available on Windows 11 Home and on devices running Windows 11 Pro or higher editions. It provides basic encryption features aimed at consumer devices. Also, this feature only encrypts the installation and secondary drives. It does not encrypt external storage connected to the device.

Why turn off Device Encryption?

Although encryption is always a good idea, there are still valid reasons to disable this feature. Sure, with modern hardware, encryption no longer has the same performance impact, but it can still be a concern for devices with older hardware and on gaming computers.

Another reason I can point out is compatibility, since some applications or peripherals may not work as expected with an encrypted drive. Also, if you have a dual-boot system, you may encounter issues when running Windows alongside Linux on the same computer.

If you frequently move drives between systems or need to use data recovery tools that do not support encrypted drives, having encryption disabled can simplify these processes. Also, while encryption keys are designed to secure data, losing access to these keys can result in permanent data loss.

When BitLocker encryption is enabled automatically during setup, the recovery key is typically backed up to your Microsoft account in the cloud. That means a copy of the key required to unlock your drive is stored on Microsoft’s servers.

Although this design helps prevent permanent data loss if you forget your password, some users may feel uncomfortable knowing an external entity holds a recovery copy. If that raises privacy concerns, you may want to take steps to stop the installation process from turning on encryption by default.

In this guide, I will explain several ways to prevent the Windows 11 setup from encrypting your device and the steps to turn off encryption after installation.

Disable Device Encryption using Rufus

To use Rufus to create a bootable media of Windows 11 that disables encryption, connect a USB flash drive with 8GB of space, and then use these steps:

  1. Open the Rufus page.

  2. Click the link to download the latest version under the “Download” section.

  3. Double-click the executable to launch the tool.

  4. Click the Settings button (third button from the left) at the bottom of the page.

  5. Use the “Check for updates” drop-down menu and select the Daily option under the “Settings” section.

  6. Click the Close button.

  7. Click the Close button again.

  8. Open Rufus again.

  9. (Optional) Under the “Device” section, use the drop-down menu and select the USB flash drive to create the installation media.

  10. Click the down-arrow button (on the right side) and select the Download option.

    Windows 11 ISO download option

  11. Click the Download button.

  12. Select the Windows 11 option.

  13. Click the Continue button.

  14. Select the release of Windows 11 to download.

    Windows 11 ISO download

  15. Click the Continue button.

  16. Select the Windows 11 Home/Pro/Edu option.

  17. Click the Continue button.

  18. Select the language of Windows 11.

  19. Click the Continue button.

  20. Select the x64 architecture option.

  21. Click the Download button.

  22. Select the location to save the ISO file automatically.

  23. Choose the “Standard Windows 11 Installation” option under the “Image option” setting.

  24. (Optional) Continue with the default settings after the download.

  25. (Optional) Specify a name for the drive under the “Volume label” setting.

  26. Click the Start button.

  27. Clear all the options (as necessary).

  28. Check the “Disable BitLocker automatic drive encryption” option.

    Disable BitLocker automatic drive encryption

  29. Click the OK button.

Once you complete the steps, you can use the bootable media to perform a clean install of Windows 11 without automatic device encryption.

Get the Pureinfotech Newsletter

All the latest guides and news delivered in your inbox

Disable Device Encryption during setup

To disable encryption during the Windows 11 24H2 installation, use these steps:

  1. Start the PC with the Windows 11 24H2 USB flash drive.

  2. Press any key to continue.

  3. Choose the installation language and format.

    Windows 11 24H2 setup language option

  4. Click the Next button.

  5. Choose the keyboard and input method.

    Windows 11 setup keyboard option

  6. Click the Next button.

  7. Select the “Install Windows 11” option.

    Install Windows 11 24H2 option

  8. Check the “I agree everything” option to confirm that this process will delete everything on the computer.

  9. Click the “I don’t have a product key” option.

    I don't have a product key

    Quick note: The device will activate automatically if this is a reinstallation. If this is a new computer, you must provide a product key.

  10. Select the edition of “Windows 11” your license key activates (if applicable).

    Choose edition of Windows option

  11. Click the Next button.

  12. Click the Accept button

  13. Select each partition on the hard drive where you want to install the operating system and click the Delete button. (Usually, “Drive 0” is the drive that contains all the installation files.)

    Windows 11 24H2 partition setup

  14. Select the hard drive (Drive 0 Unallocated Space) to install Windows 11.

    Clean install Windows 11 24H2 on unallocated space

  15. Click the Next button.

  16. Click the Install button.

    Windows 11 24H2 clean install

  17. After the installation, use the “Shift + F10” keyboard shortcut to access the first page of the out-of-the-box experience (OOBE).

  18. Type the regedit command and press Enter to open the Registry.

  19. Browse to the following path in the Registry:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLocker

  20. Right-click the BitLocker key, choose New, and click the “DWORD (32-bit) Value” option.

    BitLocker create Registry key

  21. Confirm the PreventDeviceEncryption name for the DWORD value and press Enter.

  22. Right-click the newly created key and choose the Modify option.

  23. Change the value from 0 to 1.

    Registry enable PreventDeviceEncryption

  24. Click the OK button.

  25. Click the Close (X) button in the Registry app.

  26. Click the Close (X) button in the Command Prompt app.

  27. Continue with the on-screen directions to finish the setup.

After you complete the steps, the installation of Windows 11 will not be encrypted with BitLocker.

Disable Device Encryption after installation

To disable Device Encryption after the Windows 11 installation, use these steps:

  1. Open Settings.

  2. Click on Privacy & security.

  3. Click the Device Encryption page.

  4. Turn off the “Device Encryption” toggle switch.

    Windows 11 Pro and Home disable Device Encryption

  5. Click the Turn off button.

Once you complete the steps, Windows 11 will disable encryption on your computer.

If you want to use your computer with BitLocker enabled, it’s recommended to find and back up your recovery key, in case the unexpected happens, you will have a way to recover. If you’re using the full version of BitLocker on Windows 11 Pro, you can back up the BitLocker recovery key from Control Panel.

Related
How to delete BitLocker recovery key from Microsoft account on Windows 11
How to delete BitLocker recovery key from Microsoft account on Windows 11

It’s important to note that many computer manufacturers have been encrypting devices by default for a long time, and the ability to use encryption during installation isn’t new to Windows 11. However, starting with version 24H2, Microsoft will try to enforce the feature more rigorously, even after you reset your computer. However, the security feature won’t turn on automatically when upgrading from an older version to 24H2.

Are you turning off encryption on your computer? Or do you have any questions? Let me know in the comments below.

FAQs stop Device Encryption on Windows 11

Here’s a list of frequently asked questions (FAQs) and answers about preventing the installation setup from turning on encryption on Windows 11.

What is Device Encryption on Windows 11?

Device Encryption is a built-in security feature that automatically encrypts your system drive to protect files from unauthorized access. It uses AES encryption to secure data and, starting with Windows 11 version 24H2, turns on by default during installation on both Home and Pro editions.

Does Windows 11 enable encryption automatically?

Yes, Windows 11 automatically enables Device Encryption during a clean installation on supported hardware. The feature is activated by default on both Home and Pro editions, even if previous hardware requirements such as Modern Standby were not strictly met.

What is the difference between BitLocker and Device Encryption?

BitLocker is the full-featured drive encryption tool available on Pro, Enterprise, and Education editions, while Device Encryption is a simplified version designed for Home and consumer devices. BitLocker offers advanced management options, whereas Device Encryption focuses on automatic protection with minimal configuration.

How do I stop Windows 11 from enabling Device Encryption during installation?

You can prevent automatic encryption by creating a custom Windows 11 USB installer using Rufus and selecting the option to disable BitLocker automatic drive encryption. Alternatively, during setup, you can modify the Registry and set the PreventDeviceEncryption value to block activation before completing OOBE.

How do I turn off Device Encryption after installing Windows 11?

You can disable Device Encryption from Settings by going to Privacy & Security, opening Device Encryption, and turning off the toggle switch. Windows will decrypt the drive in the background, and the process may take time depending on storage size and hardware speed.

Why would someone disable Device Encryption on Windows 11?

Users may disable encryption due to compatibility issues, dual-boot setups with Linux, concerns about recovery key storage in a Microsoft account, or when frequently moving drives between systems. While encryption improves security, certain workflows and older hardware may benefit from it being turned off.

How can I check if Device Encryption is enabled on my Windows 11 PC?

You can verify encryption status by opening Settings and navigating to Privacy & Security > Device Encryption. If the toggle is on, the system drive is encrypted. On Pro editions, you can also check BitLocker through Control Panel or by running the manage-bde -status command in Command Prompt.

What happens if I lose my BitLocker or Device Encryption recovery key?

If you lose the recovery key and your system requires it to unlock the drive, you may permanently lose access to your data. On most consumer devices, Windows 11 automatically backs up the key to your Microsoft account during setup, which allows recovery if you can sign in to that account.

Update February 27, 2027: This guide has been updated to ensure accuracy and reflect changes to the process.

About the author
Avatar for Mauro Huculak

Mauro Huculak is a Windows How-To Expert and founder of Pureinfotech in 2010. With over 22 years as a technology writer and IT Specialist, Mauro specializes in Windows, software, and cross-platform systems such as Linux, Android, and macOS.

Certifications: Microsoft Certified Solutions Associate (MCSA), Cisco Certified Network Professional (CCNP), VMware Certified Professional (VCP), and CompTIA A+ and Network+.

Mauro is a recognized Microsoft MVP and has also been a long-time contributor to Windows Central.

You can follow him on YouTube, Threads, BlueSky, X (Twitter), LinkedIn and About.me. Email him at [email protected].