diff --git a/UPDATING b/UPDATING
--- a/UPDATING
+++ b/UPDATING
@@ -27,6 +27,12 @@
 	world, or to merely disable the most expensive debugging functionality
 	at runtime, run "ln -s 'abort:false,junk:false' /etc/malloc.conf".)
 
+20250120:
+	MK_BRANCH_PROTECTION has been enabled on arm64. A full rebuild of world
+	with -DWITH_CLEAN is suggested to enable the branch protection features
+	it adds. This is only needed on arm64 as it does nothing on other
+	architectures.
+
 20240106:
 	A new SOC_ROCKCHIP options appeared, so if you have a custom kernel configuration
 	targetting Rockchip SoC you need to add it so shared and mandatory drivers for
diff --git a/share/man/man5/src.conf.5 b/share/man/man5/src.conf.5
--- a/share/man/man5/src.conf.5
+++ b/share/man/man5/src.conf.5
@@ -1,5 +1,5 @@
 .\" DO NOT EDIT-- this file is @generated by tools/build/options/makeman.
-.Dd November 22, 2024
+.Dd January 20, 2025
 .Dt SRC.CONF 5
 .Os
 .Sh NAME
@@ -253,11 +253,19 @@
 .It Va WITHOUT_BOOTPD
 Do not build or install
 .Xr bootpd 8 .
+.It Va WITHOUT_BRANCH_PROTECTION
+Build with branch protection disabled.
+.Pp
+This is a default setting on
+amd64/amd64, arm/armv7, i386/i386, powerpc/powerpc, powerpc/powerpc64, powerpc/powerpc64le and riscv/riscv64.
 .It Va WITH_BRANCH_PROTECTION
 Build with branch protection enabled.
 On arm64 enable the use of pointer authentication and
 branch target identification instructions on arm64.
 These can be used to help mitigate some exploit techniques.
+.Pp
+This is a default setting on
+arm64/aarch64.
 .It Va WITHOUT_BSDINSTALL
 Do not build
 .Xr bsdinstall 8 ,
diff --git a/share/mk/bsd.opts.mk b/share/mk/bsd.opts.mk
--- a/share/mk/bsd.opts.mk
+++ b/share/mk/bsd.opts.mk
@@ -52,6 +52,7 @@
 
 __DEFAULT_YES_OPTIONS = \
     ASSERT_DEBUG \
+    BRANCH_PROTECTION \
     DEBUG_FILES \
     DOCCOMPRESS \
     INCLUDES \
@@ -74,7 +75,6 @@
 __DEFAULT_NO_OPTIONS = \
     ASAN \
     BIND_NOW \
-    BRANCH_PROTECTION \
     CCACHE_BUILD \
     CTF \
     INSTALL_AS_USER \