Windows 11 24H2 enabled BitLocker full disk encryption by default for all new installations (including OEM) after a user has logged in with a Microsoft Account.[1] By default the BitLocker "recovery key" (everything one needs to decrypt a BitLocker device) is surrendered to Microsoft (uploaded automatically for storage with the associated Microsoft Account). This situation is similar to the Clipper chip[2] or Ki key programmed into mobile phone SIM cards during manufacture[3] where a user does not control the key for its full lifetime and has little to no assurance of who else may have a copy of the key.
Recall when Microsoft lost control of a Microsoft Account OpenID token signing key a year and a half ago?[4] I can't find a reference to confirm if attackers could have obtained BitLocker recovery keys by logging into any Microsoft Accounts with an OpenID token signed with the compromised key, but a reasonable assumption would surely lean towards "almost certainly". After this attack, Microsoft still had not conclusively determined 10 months later how the key was compromised, and no further news appears to be published since then.[5]
Recall when Microsoft lost control of a Microsoft Account OpenID token signing key a year and a half ago?[4] I can't find a reference to confirm if attackers could have obtained BitLocker recovery keys by logging into any Microsoft Accounts with an OpenID token signed with the compromised key, but a reasonable assumption would surely lean towards "almost certainly". After this attack, Microsoft still had not conclusively determined 10 months later how the key was compromised, and no further news appears to be published since then.[5]
[1] https://learn.microsoft.com/en-us/windows-hardware/design/de...
[2] https://en.wikipedia.org/wiki/Clipper_chip#Key_escrow
[3] https://nickvsnetworking.com/transport-keys-a4-k4-keys-in-ep...
[4] https://msrc.microsoft.com/blog/2023/09/results-of-major-tec...
[5] https://www.bleepingcomputer.com/news/security/microsoft-sti...