just to update I downloaded windows 11 23H2 from MS admin console and then made a new image with fog and deployed it and whilst for some reason the GPO that should auto encrypt the c drive doesn’t appear to be working, if I right click it and choose encrypt with BitLocker and chose allow windows to unlock the drive automatically (which is what the GPO should do) it encrypts just fine. So its definitely something new with Windows 11 24H2 I suspect its to do with secure boot being disabled.

Edit ignore the bit about the gpo not working I moved the pc to a diferent OU for testing and it simply wasn’t applied. I have since now forced windows update to install Win11 24H2 and the drive remains encrypted. so this for a while will be a workaround for our staff laptops that need to be encrypted.