Question Policy for 24H2 Auto bitlocker encryption during clean install

[mmp09]

If I correctly understand, if you login to MS account during clean install of Windows 11 24H2 then it automatically enables bitlocker encryption.
However there’s only normal PIN or password but there’s no specific password set for unlocking encryption. The recovery key is saved in your MS account.

On an earlier system I had to enter PIN (separate from account password) to unlock bitlocker at boot. However now there's no such PIN.
So what policy is used by this bitlocker encryption? Does it rely on TPM?

 

[Secret-Squirrel]

..................... However now there's no such PIN.

Did you install the Pro or Home version of Windows 11?

 

[ubuysa]

I appreciate that the question relates to a clean install, but just for the record I was offered the 24H2 update this morning and installed it. Bitlocker was off before I did the update and it's still off after the update.

If you're concerned, perhaps one option might be to clean install 23H2, ensure that Bitlockler is off and then immediately update that to 24H2?

 

[kerberos_20]

i just clean installed 24H2 win 11 pro from freshly downloaded iso on freshly wiped drive (26100.2033)
things that i have noticed:
zero mention about any bitlocker during installation
i could play game during installation ..like huh? lol never saw anybody mentioning this...but theres a freaking game lol
and the usual ms account only with personal account
once installed
there is also no recall to be found (was it supposed to be there already?)
bitlocker is not enabled with online ms account (as it wasnt mentioned anywhere during installation phase)

edit:
checked ms system info app which shows reason why it couldnt do automatic device encryption, and the reason for no automatic bitlocker is: PCR7 not available, which has somehing to do with TPM, but on quick google search, it means secure boot is disabled for PCR7 to kick in

here you go - secure boot off = no auto encryption
which does make some sense, since im seeing lately tons of reddit images with "help no bitlocker key" and image shows secure boot settings changed on bitlocker recovery image

 

[mmp09]

May be the intent of my question is not clear. I am testing it out in a VM with Windows 11 24H2 Pro version.

Rufus has a very good provision to disable automatic bitlocker encryption while creating USB installer. That's not the point.

Generally when you encrypt using bitlocker manually as a user, there's a password and recovery key depending upon default policies.

However during 24H2 clean install there's no password, only recovery key which is stored in MS account.
So what policy is adopted by installer & bitlocker when there's no password? Does it solely rely on TPM? How does it work without a password?

e.g. here are many policies related to bitlocker in gpedit.msc

 

[USAFRet]

So what policy is adopted by installer & bitlocker when there's no password? Does it solely rely on TPM? How does it work without a password?

Yes, just the TPM.

I have a BitLocker enabled Surface laptop.
NO password on starting up.

The BL is to protect the drive data if the drive were removed from this laptop, and connected to some other system.

 

[Colif]

PIN is stored in the TPM, so that would explain that then.