F5F Stay Refreshed Software Operating Systems Policy for 24H2 Auto bitlocker encryption during clean install

Policy for 24H2 Auto bitlocker encryption during clean install

Policy for 24H2 Auto bitlocker encryption during clean install

G
googelaar
Junior Member
Find
21
11-18-2021, 10:56 AM
#1
You should be aware that logging into your MS account during the clean install of Windows 11 24H2 activates BitLocker automatically. Yet, only a standard PIN or password exists, without a dedicated unlocking key. The recovery key remains stored within your MS account. On a previous system, you needed to input a separate PIN at startup to enable BitLocker, but that requirement has been removed now. What encryption method is currently applied? Does it depend on the TPM technology?
Reply
Reply
G
googelaar
11-18-2021, 10:56 AM #1

You should be aware that logging into your MS account during the clean install of Windows 11 24H2 activates BitLocker automatically. Yet, only a standard PIN or password exists, without a dedicated unlocking key. The recovery key remains stored within your MS account. On a previous system, you needed to input a separate PIN at startup to enable BitLocker, but that requirement has been removed now. What encryption method is currently applied? Does it depend on the TPM technology?

Reply
Reply
T
tntboy66
Junior Member
Find
36
11-18-2021, 12:40 PM
#2
Have you set up the Pro or Home edition of Windows 11?
Reply
Reply
T
tntboy66
11-18-2021, 12:40 PM #2

Have you set up the Pro or Home edition of Windows 11?

Reply
Reply
P
Playered_401
Member
Find
60
11-18-2021, 04:04 PM
#3
I understand the concern about the clean install, but just to note I received the 24H2 update this morning and installed it. Bitlocker was disabled before the update and remains so afterward. If you're worried, maybe a clean install of 23H2 would work better—make sure Bitlocker is off first, then update immediately?
Reply
Reply
P
Playered_401
11-18-2021, 04:04 PM #3

I understand the concern about the clean install, but just to note I received the 24H2 update this morning and installed it. Bitlocker was disabled before the update and remains so afterward. If you're worried, maybe a clean install of 23H2 would work better—make sure Bitlocker is off first, then update immediately?

Reply
Reply
S
SimpleBuilder
Member
Find
134
11-19-2021, 04:01 PM
#4
i just installed 24H2 win 11 pro from a freshly downloaded iso on a brand new drive (26100.2033).
noticeable points:
no reference to bitlocker during setup
could play games during installation – seems odd
the standard ms account is linked only to personal accounts
after installation, no mention of a recovery option
no indication that bitlocker was enabled with the online ms account (it wasn’t mentioned at all)
checked ms system info which explained the lack of automatic device encryption – reason cited was PCR7 not available, possibly related to TPM and secure boot being disabled
this aligns with recent reddit discussions about missing bitlocker keys and changed secure boot settings in recovery images
Reply
Reply
S
SimpleBuilder
11-19-2021, 04:01 PM #4

i just installed 24H2 win 11 pro from a freshly downloaded iso on a brand new drive (26100.2033).
noticeable points:
no reference to bitlocker during setup
could play games during installation – seems odd
the standard ms account is linked only to personal accounts
after installation, no mention of a recovery option
no indication that bitlocker was enabled with the online ms account (it wasn’t mentioned at all)
checked ms system info which explained the lack of automatic device encryption – reason cited was PCR7 not available, possibly related to TPM and secure boot being disabled
this aligns with recent reddit discussions about missing bitlocker keys and changed secure boot settings in recovery images

Reply
Reply
F
fadgemd
Member
Find
190
12-10-2021, 08:52 PM
#5
May be the intent of my question is not clear. I am testing it out in a VM with Windows 11 24H2 Pro version.
Rufus has a very good provision to disable automatic bitlocker encryption while creating USB installer. That's not the point.
Generally when you encrypt using bitlocker manually as a user, there's a password and recovery key depending upon default policies.
However during 24H2 clean install there's no password, only recovery key which is stored in MS account.
So what policy is adopted by installer & bitlocker when there's no password? Does it solely rely on TPM? How does it work without a password?
e.g. here are many policies related to bitlocker in gpedit.msc
Reply
Reply
F
fadgemd
12-10-2021, 08:52 PM #5

May be the intent of my question is not clear. I am testing it out in a VM with Windows 11 24H2 Pro version.
Rufus has a very good provision to disable automatic bitlocker encryption while creating USB installer. That's not the point.
Generally when you encrypt using bitlocker manually as a user, there's a password and recovery key depending upon default policies.
However during 24H2 clean install there's no password, only recovery key which is stored in MS account.
So what policy is adopted by installer & bitlocker when there's no password? Does it solely rely on TPM? How does it work without a password?
e.g. here are many policies related to bitlocker in gpedit.msc

Reply
Reply
Z
zScossa99z
Member
Find
71
12-11-2021, 02:18 AM
#6
Yes, just the TPM.
I own a Surface with BitLocker activated.
No password is set during startup.
The BitLocker ensures data security if the device is taken away and linked to another system.
Reply
Reply
Z
zScossa99z
12-11-2021, 02:18 AM #6

Yes, just the TPM.
I own a Surface with BitLocker activated.
No password is set during startup.
The BitLocker ensures data security if the device is taken away and linked to another system.

Reply
Reply
S
Skyrocker
Member
Find
55
12-25-2021, 05:58 PM
#7
The PIN is kept in the TPM, which accounts for that reason.
Reply
Reply
S
Skyrocker
12-25-2021, 05:58 PM #7

The PIN is kept in the TPM, which accounts for that reason.

Reply
Reply