BitLocker drive encryption is turned on by default in Windows 11 24H2 and there is no warning or information given to the user about it. Down the line, in future, * in case Windows Fails * or for any other reason and user do a fresh install * or for any reason wish to switch Operating system * or wish to detach a storage drive and plug it in another Computer -> all the data in those disks are now gone. You can't read data from any of your disk now unless you are booting up from that same PC and with the same Windows 11 installation instance, in which the encryption happened. This is like a Ransomware, no warning or information is given to the user about backing up their Encryption key. Users are expected to be born aware of this feature and potential risks of it. Stupid decision
BitLocker is close-to-metal and does a great job encrypting data without causing performance loss, but it has some issues. Home edition of 24H2 automatically encrypts 24H2 with BitLocker key and sends it to Microsoft account unless you perform OOBE NRO Bypass. In other editions, you are forced to save BitLocker key before drive can be encrypted, but you can't save it onto drive you want to encrypt and you can't save it onto drive that is already encrypted. A way around that is to create an encrypted container file in VeraCrypt, mount it, and save BitLocker key onto mounted container.
OP is talking about Device Encryption, right? Bitlocker Drive Encryption was 'ready' or something on my Windows 11 (fresh ESD install, Education, build 26100.2605), meaning if i log in to my MS Acc, then it will encrypt the drive, giving me an online stored key for decryption. Since i use local accounts all the time, this didnt happen. But Device Encryption (in Settings->Privacy&security) was enabled by default, without notifying me about anything. Thats the OP situation, if i'm understanding this correctly. So if things go sideways, and lets be honest, with Windows, they do, then i have no way of getting my data back, right? (I did turn this off for now.) Please enlighten me with some info, am i seeing this correctly? Thanks.
Why would anyone want this? Think of the average user. Forced to setup a Microsoft account with no intent on using it. Lets switch windows back to a local account so its like it used to be. Years of collecting, gigs of highly organized data. What can go wrong? Then it does. Keep it simple, much easier to get back. Who is encrypting your PC protecting you from? If I had worldly secrets on my PC, maybe, but I would use TrueCrypt, or a similar program that I control. And i certainly wouldn't put the key out on the cloud. Encryption should be a choice not mandated. Besides it does nothing to protect a running PC where the trojan just got your browser user name/password list. So why would anyone make recovery more difficult or impossible?
My script is similar to Dark Dinosaur's, but one step further, in secpol, local policies, security options, accounts: block Microsoft accounts, change to "users cant add or logon on with Microsoft accounts".
I decrypt and disable bitlocker after clean setup and then I disable everything like you do, but probably windows update enabled bitlocker again and when BDESVC is disabled, bitlocker can not be disabled and it will be hidden in Settings.