@Migueldeicaza wait a hot second

Isn't TPM2 "required for Windows 11" to prevent exactly this thing from happening?

Are you implying that Microsoft sent 100s of millions of perfectly fine PCs to a farm upstate just because they want to sell more Windows?!

@hp @Migueldeicaza Windows 10 and 11 always encrypt the disk, but leave BitLocker suspended until you either enable it manually and save a recovery key (only on Pro) or log in to a MS account, where the recovery key is automatically put in escrow, and TPM is set up to unlock the drive automatically. This works well for most users – they get the benefit of drive encryption (so the data is safe if somebody steals their device), while recovery (needed if something prevents TPM from releasing the key) is possible by logging in to MS account on another device.

If your threat model includes state actors, simply don't rely on automatically enabled BitLocker.