Re: Well, to play devil's advocate here for a moment...
> HOWEVER, the fact that it doesn't automatically do this is unforgivable
Hold here... It DOES do that for UPGRADES, if not forbidden by a GPO. If needed, it goes to the control panel for you, and sets the "auto-unlock for one reboot" flag, which it then uses during the upgrade (where the several reboots during the upgrade counts somewhat as one).
Once the upgrade is done and windows booted up successfully it removes that flag and works normally again. This is actually regarded as a security issue in some circles. But exposing it required a booted up windows, unlocked and administrator rights.
> recovery key in AD
This is currently moved backward, setting the GPO to NOT store the recovery key, blocking that activly. DSGVO is part of the reason. But rough administrators too. And when laptops are stolen by administrators, which can mass-export the recovery keys from the AD, you know it is better to lose whatever data on the laptop than having a chance of someone being able to decrypt it.
Biting the hand that feeds IT
