I recently helped a family member with a Windows 11 computer that had become completely inaccessible. The owner had forgotten the login password, forgotten the Windows Hello PIN, and also forgotten the security questions. At first glance, this looks like the kind of situation where a device is locked. No password means no access. That was my assumption.

It turned out to be false. As long as the system drive is not encrypted and you have physical access, the password can be reset with surprisingly little resistance. There is no need to guess the password. There is no online verification step. The entire security concept collapses as soon as you obtain a terminal before the user session starts.

This behavior is not an exploit. It is how Windows is intentionally designed. A Windows login password protects the user session. It does not protect the disk. The thing that protects the disk is BitLocker. If BitLocker is disabled the disk is considered trusted and the user at the keyboard is considered the owner.

There is a built-in recovery process in Windows for forgotten passwords. Security questions and Windows Hello exist precisely for that purpose. In my case they had been forgotten as well. But even if they had worked, they would not have protected the system from physical access. They only help the original owner get back in. They do not secure the data.

The more I looked into this the more surprising it became. My expectation for a modern consumer device in 2026 is simple. I expect the data on the device to be encrypted by default. This is how phones work. Android encrypts storage regardless of whether you sign in with a Google account. iPhones and iPads have been encrypted from the beginning. macOS offers FileVault and many users enable it during onboarding. In all of these cases, the password or biometric unlock is not the security itself. It is the key that unlocks an already encrypted device.

Windows 11 behaves differently. Encryption is optional. During installation Windows never informs the user that the drive is unencrypted. It does not ask the user whether they want to enable BitLocker. It does not warn about the consequences. It does not explain that a Microsoft account is useful for storing recovery keys. It simply creates a system that looks secured because there is a login screen yet the underlying storage is in plain text.

The situation becomes even more puzzling once BitLocker is enabled. On many consumer devices BitLocker will auto-unlock during boot using the TPM. As soon as the operating system has been loaded the data is decrypted. From that point onward, any code that runs before the user session also runs with full access to the decrypted disk. If a terminal can be launched before login that terminal effectively has system-level authority. This is fundamentally different from Android, iOS, and macOS where authentication and decryption are tied together and cannot be separated in this way.

In other words, BitLocker protects data at rest. It does not protect data once the boot process has released the key. It works perfectly for lost or stolen laptops that are powered off. It works well for compliance and enterprise scenarios. But it does not behave like a unified security model for everyday consumers who expect a password to mean actual security.

What makes this so confusing is that Windows mixes two worlds without explaining the boundary. Inside a user session Windows asks for password confirmation and administrative privileges constantly. Outside the user session Windows assumes ownership and grants system authority as soon as the disk is decrypted. For most users, this is not intuitive. In consumer products ownership and authentication are the same thing. In Windows they are separate.

There are straightforward ways this could be improved.

• Warn clearly during installation if BitLocker is off • Enable BitLocker by default on consumer devices • Tie Microsoft accounts to recovery key handling in a transparent way • Explain that PIN and password protect the user session, not the disk • Teach users that physical access to an unencrypted Windows device means full control

What should users actually do:

• Enable BitLocker • Use a Microsoft account if you want recovery without manual key management • Store recovery keys in a safe place • Consider a firmware password if you care about physical access

My conclusion is simple. I assumed Windows 11 worked like a modern consumer system. I assumed encryption. I assumed a forgotten password meant a locked device. Those assumptions were wrong until I manually enabled BitLocker. And the operating system never told me.