BitLocker drive encryption is turned on by default in Windows 11 24H2 and there is no warning or information given to the user about it. Down the line, in future, * in case Windows Fails * or for any other reason and user do a fresh install * or for any reason wish to switch Operating system * or wish to detach a storage drive and plug it in another Computer -> all the data in those disks are now gone. You can't read data from any of your disk now unless you are booting up from that same PC and with the same Windows 11 installation instance, in which the encryption happened. This is like a Ransomware, no warning or information is given to the user about backing up their Encryption key. Users are expected to be born aware of this feature and potential risks of it. Stupid decision
BitLocker is close-to-metal and does a great job encrypting data without causing performance loss, but it has some issues. Home edition of 24H2 automatically encrypts 24H2 with BitLocker key and sends it to Microsoft account unless you perform OOBE NRO Bypass. In other editions, you are forced to save BitLocker key before drive can be encrypted, but you can't save it onto drive you want to encrypt and you can't save it onto drive that is already encrypted. A way around that is to create an encrypted container file in VeraCrypt, mount it, and save BitLocker key onto mounted container.
OP is talking about Device Encryption, right? Bitlocker Drive Encryption was 'ready' or something on my Windows 11 (fresh ESD install, Education, build 26100.2605), meaning if i log in to my MS Acc, then it will encrypt the drive, giving me an online stored key for decryption. Since i use local accounts all the time, this didnt happen. But Device Encryption (in Settings->Privacy&security) was enabled by default, without notifying me about anything. Thats the OP situation, if i'm understanding this correctly. So if things go sideways, and lets be honest, with Windows, they do, then i have no way of getting my data back, right? (I did turn this off for now.) Please enlighten me with some info, am i seeing this correctly? Thanks.
Why would anyone want this? Think of the average user. Forced to setup a Microsoft account with no intent on using it. Lets switch windows back to a local account so its like it used to be. Years of collecting, gigs of highly organized data. What can go wrong? Then it does. Keep it simple, much easier to get back. Who is encrypting your PC protecting you from? If I had worldly secrets on my PC, maybe, but I would use TrueCrypt, or a similar program that I control. And i certainly wouldn't put the key out on the cloud. Encryption should be a choice not mandated. Besides it does nothing to protect a running PC where the trojan just got your browser user name/password list. So why would anyone make recovery more difficult or impossible?
My script is similar to Dark Dinosaur's, but one step further, in secpol, local policies, security options, accounts: block Microsoft accounts, change to "users cant add or logon on with Microsoft accounts".
I decrypt and disable bitlocker after clean setup and then I disable everything like you do, but probably windows update enabled bitlocker again and when BDESVC is disabled, bitlocker can not be disabled and it will be hidden in Settings.
Should NOT be encrypted while installing Clean Windows 11 24H2 until customer want to.. SHOULD NOT... keep in mind.. I have on my laptop has TPM 2.0 and play with it with Windows 11 24H2... So, keep in mind, Microsoft does not have right to encrypted your OS (C: Drive) One thing if you are plan to Encrypted hard drive, BE SURE not put into Microsoft account site, Save as USB Flash drive and then copy the key another safest place (make 3 key copied) or your are screwed.. Just fair warning.. ATGPUD2003
As much as Microsoft is big software, big cloud, it is even bigger as a data market and consultancy service. The intent is much clearer when you approach this behavior from such a perspective.
If you do not create a Facebook account then someone will create it for you. (Even if you don´t use social media, it is best to create an account) If you do not encrypt your device then someone will encrypt it for you. (Better you than Microsoft or worse a ransomware) If you do not kiss or do anything to your girlfriend / boyfriend then someone else will do that for you. Same applies to everything else.