The Windows 11 24H2 update introduced a change in Microsoft’s approach to disk encryption, a shift that will have long lasting implications on digital forensics. In this release, BitLocker encryption is automatically enabled on most modern hardware when installing Windows when a Microsoft Account (MSA) is used during setup. Encryption starts seamlessly and silently in the background, covering even Home editions and consumer devices such as desktop computers that historically escaped full-disk encryption defaults.

Important: It is important to note that the new experience does not automatically apply when existing Windows 11 users install the 24H2 build via Windows Update.

While this policy may seem new, it is in fact the logical continuation of an earlier feature called BitLocker Device Encryption, which dates back to Windows 8.1, Windows RT, and Windows 10 Home (BitLocker: What’s New in Windows 10 November Update, And How To Break It). Device Encryption was a restricted version of BitLocker designed to automatically protect the system boot volume under specific hardware and account conditions:

• The device meets Connected Standby or Modern Standby specifications (usually SSD or eMMC storage).
• The device has non-removable (soldered) RAM to mitigate cold boot attacks.
• The device contains a TPM 2.0 module.
• At least one administrator account is signed in using a Microsoft Account (not a local account).

These requirements were common on tablets (at the time, we tested Lenovo ThinkPad 8, Nokia Lumia 2520, and Dell Venue 8 Pro), many business laptops, and higher-end ultrabooks. Once these conditions were met and the user signed in with an MSA, encryption of the boot volume silently began in the background. Most users were unaware their partition had been encrypted, with higher disk activity or battery drain as indicators.

Windows 11 24H2 effectively broadens this same concept to all modern PCs – even full desktops and laptops without soldered RAM – by enforcing online account sign-in and automatic BitLocker activation more aggressively.

Windows 11 24H2 BitLocker Encryption

Microsoft explained, time and time again, why TPM is required in Windows 11. In our write-up dating back to 2022, we noted back then: “Despite the controversy surrounding Windows 11 elevated system requirements, Microsoft did the right thing. The use of passwordless authentication combined with TPM protection does a lot to secure Windows accounts. At the same time, we have not seen a change to default encryption policies. BitLocker Device Encryption is still a thing on portable devices only; on desktops, BitLocker encryption is not enforced and not automatically enabled. If enabled on a system partition, you will still require the correct BitLocker Recovery Key to unlock and decrypt the volume, same as in Windows 10.” The release of Windows 11 24H2 puts an end to the controversy, now fully utilizing the potential of TPM protection by making BitLocker system encryption the new default.

In Windows 11 24H2, any user who signs into OOBE (Out-of-Box Experience) with a Microsoft Account will trigger automatic BitLocker encryption. This now applies across all Windows editions, including Home, and is supported on nearly all Windows 11-certified hardware (which must include TPM 2.0, Secure Boot, and modern storage). Microsoft also removed the previous BYPASSNRO workaround that allowed users to skip account sign-in during setup, effectively ensuring encryption defaults are harder to bypass.

Recovery keys for personal devices are uploaded automatically to the user’s Microsoft Account (accessible via account.microsoft.com/devices/recoverykey), while domain-joined enterprise devices escrow keys to Active Directory or Azure AD where those can be potentially retrieved from (e.g. with the recently updated Elcomsoft System Recovery). This means keys exist off-device and can potentially be obtained by law enforcement via legal channels – though this introduces delays and procedural complications.

Forensic Implications and Challenges

For digital forensic professionals, this shift leads to predictable long-term consequences. Without the BitLocker recovery key or user credentials, encrypted drives are unreadable and unmountable. Key implications include:

• Seized drives and disk images will become useless without keys. Decryption will require a BitLocker recovery key.
• No feasible bypass. BitLocker uses XTS-AES encryption; the binary key protected by the computer’s TPM. Password attacks won’t be possible because this type of BitLocker encryption does not rely on a password.
• Key retrieval becomes mandatory. Investigators must obtain keys through voluntary cooperation, legal requests to Microsoft, or throuth the enterprise IT department (for domain-joined devices).
• Limited live capture opportunities. If the device is powered on and unlocked at seizure time, live RAM capture or command-line key extraction may allow retrieval of the volume master key. Notably, the encrypted system volume is still mounted automatically ater reboot or power-on; however, accessing the data will be extremely difficult, requiring highly advanced or even exotic techniques to access.
• Evidence timelines slow down. Waiting for recovery keys from Microsoft or corporate IT introduces potentially significant delays.

Investigators must treat seized Windows 11 24H2 devices as encrypted vaults unless a valid recovery method is promptly available.

Only New Installations and Reinstalls Are Affected

It is also important to note that this automatic encryption behavior primarily applies during clean installations or factory resets of Windows 11 24H2. Devices that upgrade to 24H2 via Windows Update will not have BitLocker automatically enabled retroactively if the drive was previously unencrypted. The feature respects the existing encryption state and does not enforce new policies on upgraded systems. However, if the user subsequently performs a “Reset this PC” operation or reinstalls Windows 11 24H2 from scratch, the automatic encryption workflow will engage, provided that the hardware requirements are met and the user signs in with a Microsoft Account. For forensic practitioners, this distinction is crucial: while many freshly imaged or reset 24H2 devices will arrive encrypted, systems upgraded in place may remain unencrypted, preserving easier access to evidence.

Conclusion

Microsoft’s Windows 11 24H2 encryption policy is not an abrupt innovation but a methodical expansion of earlier BitLocker Device Encryption practices. Forensic experts must recognize that nearly all seized Windows 11 devices going forward will likely be encrypted – even in the consumer segment.

With BitLocker defaulting on nearly all new Windows installs, forensic workflows must evolve. Early recognition of encryption status is essential. Agencies should also expand evidence collection to alternate sources (cloud data, network logs, secondary devices), recognizing that primary drive data may be permanently inaccessible if keys can’t be recovered.

Preparedness to handle locked systems, proactive legal strategies for key recovery, and updated evidence collection tactics will be vital. As encryption becomes ubiquitous, forensic methodologies must evolve accordingly to maintain investigative effectiveness.

More Information

Additional information on BitLocker encryption:

• BitLocker overview – Microsoft Support
• BitLocker recovery overview | Microsoft Learn
• Government Requests for Customer Data Report | Microsoft CSR
• Microsoft’s default BitLocker on your Windows 11 PC is hitting even the fastest SSDs hard – Neowin
• Microsoft may default-encrypt your data with BitLocker on Windows 11 24H2 Home PCs too – Neowin