To prevent forced BitLocker encryption during a Windows 11 24H2 clean install, press Shift + F10 during the out-of-box setup to open Command Prompt, then run this command to add the registry key that disables automatic encryption before it starts:
reg add "HKLM\SYSTEM\CurrentControlSet\Control\BitLocker" /v PreventDeviceEncryption /t REG_DWORD /d 1 /fIf BitLocker is already enabled, go to Settings → Privacy & Security → Device Encryption (or right-click Start → System → BitLocker settings) and click Turn off BitLocker.
Applies to: Windows 11 (24H2, 25H2) clean installations | Last updated: April 23, 2026
Key Takeaways
- Forced BitLocker encryption only applies to clean installs of Windows 11 24H2 on supported hardware — upgrading from Windows 10 or an earlier Windows 11 version does not automatically enable it.
- The registry key
PreventDeviceEncryptionset to1underHKLM\SYSTEM\CurrentControlSet\Control\BitLockerblocks automatic encryption from enabling during OOBE. - If BitLocker is already enabled, you need the recovery key to access the drive in a recovery scenario — back it up to a USB, cloud storage, or your Microsoft account before disabling.
- BitLocker is not inherently bad — it protects your data if the drive is physically removed from your PC. The problem is automatic enablement without clearly informing users to save the recovery key.
Quick Steps
To prevent BitLocker during a clean install (OOBE method):
- During Windows 11 setup (OOBE screen), press Shift + F10
- In Command Prompt, run the
reg addcommand above - Close Command Prompt and continue with Windows setup normally
To disable BitLocker after Windows is installed:
- Right-click Start → System
- Click BitLocker settings
- Back up your recovery key first (save to USB or Microsoft account)
- Click Turn off BitLocker and follow the prompts
Why Microsoft Forcing BitLocker Is a Problem
BitLocker encryption itself is a solid security feature — it protects the data on your drive if someone physically removes it from your PC or boots from a USB. In a repair shop context, I’ve seen plenty of cases where a stolen laptop’s data was genuinely protected by BitLocker. The technology works.
The problem is automatic enablement without prominently prompting users to save the recovery key. Consider this scenario: Windows 11 24H2 installs and quietly enables BitLocker. A bad update later causes a boot failure. Windows Recovery Environment starts — and before anything can be done, it demands the BitLocker recovery key.
If the user never saved the recovery key, there is nothing a technician can do. The data on that drive is locked. The only option is a clean reinstall from scratch. That’s the real risk here — not encryption itself, but encryption without informed consent and a saved key.
How to Check if BitLocker Is Currently Enabled
Right-click the Start button and select System. In the Related Settings section on the right, click BitLocker settings.
If the BitLocker settings link isn’t there, you’re likely on Windows Home edition — Home doesn’t include BitLocker and automatic encryption is not a concern on that edition. If you see the option, click it and check whether BitLocker is shown as On or Off for your C: drive.
How to Back Up Your BitLocker Recovery Key
If BitLocker is currently enabled, backing up the recovery key is the most important thing to do before making any changes. Without it, a failed Windows update or hardware change could lock you out of your own drive permanently.
In BitLocker settings, click Back up your recovery key. You have three options: save to a file (copy to a USB drive or cloud storage — not to the encrypted drive itself), save to your Microsoft account, or print it. I recommend saving to your Microsoft account as the primary backup and also saving a copy to an external USB as a physical fallback.
If you’ve already lost track of whether your key is saved, log into account.microsoft.com, go to Devices → View All Devices, find your PC, click Show Details, then look under the BitLocker Data Protection tab and click Manage Recovery Keys. The key will be listed there if it was backed up to your Microsoft account.
How to Prevent BitLocker During a Clean Install
The most reliable way to prevent forced BitLocker is to add the registry key before Windows finishes the out-of-box experience (OOBE). During the OOBE screen — the initial setup wizard after installation — press Shift + F10. This opens a Command Prompt window at the Windows setup environment.
Run this command to create the registry value that prevents device encryption:
reg add "HKLM\SYSTEM\CurrentControlSet\Control\BitLocker" /v PreventDeviceEncryption /t REG_DWORD /d 1 /fIf you prefer to do it manually through Registry Editor: open Task Manager from the Command Prompt with taskmgr.exe, click Run New Task, type regedit with admin privileges, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLocker, right-click and create a new DWORD (32-bit) Value named PreventDeviceEncryption, and set its value to 1.
Close all windows and continue with Windows setup as normal. BitLocker will not be automatically enabled on this installation.
Alternative: Prevent BitLocker via Autounattend (No Manual Steps)
If you regularly do clean Windows installs and want to automate this, UnattendedWinstall and Winhance both include an option to disable forced BitLocker encryption in the generated Autounattend XML. When this option is enabled, the registry key is added automatically during the unattended portion of setup — no Shift+F10 required.
This is the cleanest approach if you’re already using an answer file for your installs. The Windows answer file guide covers the full setup process for creating customized Windows installations.
How to Turn Off BitLocker If It’s Already Enabled
If BitLocker is already on and you want to decrypt your drive, open BitLocker settings (right-click Start → System → BitLocker settings), back up your recovery key first, then click Turn off BitLocker. Confirm the prompt and Windows will begin decrypting the drive in the background.
Decryption time depends on drive size and speed. On a modern NVMe SSD, a 256 GB drive typically decrypts in 10–20 minutes. On a large HDD, it can take hours. You can continue using the computer while decryption runs — Windows will notify you when it’s complete. The drive status in BitLocker settings will show the progress.
Frequently Asked Questions
Will BitLocker be enabled if I upgrade from Windows 10 to Windows 11?
No. Automatic BitLocker encryption only applies to clean installations of Windows 11 24H2 on supported hardware. Upgrading from Windows 10 or from an earlier version of Windows 11 will not automatically enable BitLocker if it wasn’t already on.
What happens if I lose my BitLocker recovery key?
Without the recovery key, you cannot access the data on an encrypted drive in a recovery scenario. There is no backdoor or override. The only option is to wipe and reinstall Windows, losing everything on the drive. This is why backing up the key — to your Microsoft account, a USB, or cloud storage — before any issue occurs is critical.
Does disabling BitLocker put my data at risk?
Disabling BitLocker means your drive’s data is readable without a recovery key if the drive is physically removed. For most home users this is an acceptable risk — the more common danger is being locked out by an unexpected key demand during a repair or troubleshooting session. If your laptop travels frequently or contains sensitive data, keeping BitLocker enabled with a saved recovery key is the better choice.
Can I bypass the BitLocker prompt on an unsupported PC?
Yes. On unsupported hardware where you bypassed Windows 11 requirements, or if you set up a local account during OOBE instead of a Microsoft account, BitLocker is not automatically enabled. The automatic encryption specifically requires supported hardware with a TPM chip and an active Microsoft account during setup.
Does the PreventDeviceEncryption registry key affect other security features?
No. This key only prevents automatic device encryption during the OOBE setup process. It does not disable Windows Defender, Secure Boot, TPM, or any other security feature. You can still manually enable BitLocker at any time through BitLocker settings after installation if you want to.
