diff --git a/src/core/device.c b/src/core/device.c
index 4c261ec554..fcde8a420e 100644
--- a/src/core/device.c
+++ b/src/core/device.c
@@ -201,12 +201,11 @@ static int device_coldplug(Unit *u) {
          *   Of course, deserialized parameters may be outdated, but the unit state can be adjusted later by
          *   device_catchup() or uevents. */
 
-        if (!m->honor_device_enumeration && !MANAGER_IS_USER(m)) {
+        if (!m->honor_device_enumeration && !MANAGER_IS_USER(m) &&
+            !FLAGS_SET(d->enumerated_found, DEVICE_FOUND_UDEV)) {
                 found &= ~DEVICE_FOUND_UDEV; /* ignore DEVICE_FOUND_UDEV bit */
                 if (state == DEVICE_PLUGGED)
                         state = DEVICE_TENTATIVE; /* downgrade state */
-                if (found == DEVICE_NOT_FOUND)
-                        state = DEVICE_DEAD; /* If nobody sees the device, downgrade more */
         }
 
         if (d->found == found && d->state == state)
diff --git a/test/TEST-24-CRYPTSETUP/test.sh b/test/TEST-24-CRYPTSETUP/test.sh
index 96d255dd96..b81b811654 100755
--- a/test/TEST-24-CRYPTSETUP/test.sh
+++ b/test/TEST-24-CRYPTSETUP/test.sh
@@ -10,6 +10,11 @@ TEST_FORCE_NEWIMAGE=1
 # shellcheck source=test/test-functions
 . "${TEST_BASE_DIR:?}/test-functions"
 
+PART_UUID="deadbeef-dead-dead-beef-000000000000"
+DM_NAME="test24_varcrypt"
+KERNEL_APPEND+=" rd.luks=1 luks.name=$PART_UUID=$DM_NAME luks.key=$PART_UUID=/keyfile:LABEL=varcrypt_keydev"
+QEMU_OPTIONS+=" -drive format=raw,cache=unsafe,file=${STATEDIR:?}/keydev.img"
+
 check_result_qemu() {
     local ret=1
 
@@ -17,13 +22,13 @@ check_result_qemu() {
     [[ -e "${initdir:?}/testok" ]] && ret=0
     [[ -f "$initdir/failed" ]] && cp -a "$initdir/failed" "${TESTDIR:?}"
 
-    cryptsetup luksOpen "${LOOPDEV:?}p2" varcrypt <"$TESTDIR/keyfile"
-    mount /dev/mapper/varcrypt "$initdir/var"
+    cryptsetup luksOpen "${LOOPDEV:?}p2" "${DM_NAME:?}" <"$TESTDIR/keyfile"
+    mount "/dev/mapper/$DM_NAME" "$initdir/var"
     save_journal "$initdir/var/log/journal"
     check_coverage_reports "${initdir:?}" || ret=5
     _umount_dir "$initdir/var"
     _umount_dir "$initdir"
-    cryptsetup luksClose /dev/mapper/varcrypt
+    cryptsetup luksClose "/dev/mapper/$DM_NAME"
 
     [[ -f "$TESTDIR/failed" ]] && cat "$TESTDIR/failed"
     echo "${JOURNAL_LIST:-No journals were saved}"
@@ -36,45 +41,65 @@ test_create_image() {
     create_empty_image_rootdir
 
     echo -n test >"${TESTDIR:?}/keyfile"
-    cryptsetup -q luksFormat --pbkdf pbkdf2 --pbkdf-force-iterations 1000 "${LOOPDEV:?}p2" "$TESTDIR/keyfile"
-    cryptsetup luksOpen "${LOOPDEV}p2" varcrypt <"$TESTDIR/keyfile"
-    mkfs.ext4 -L var /dev/mapper/varcrypt
+    cryptsetup -q luksFormat --uuid="$PART_UUID" --pbkdf pbkdf2 --pbkdf-force-iterations 1000 "${LOOPDEV:?}p2" "$TESTDIR/keyfile"
+    cryptsetup luksOpen "${LOOPDEV}p2" "${DM_NAME:?}" <"$TESTDIR/keyfile"
+    mkfs.ext4 -L var "/dev/mapper/$DM_NAME"
     mkdir -p "${initdir:?}/var"
-    mount /dev/mapper/varcrypt "$initdir/var"
+    mount "/dev/mapper/$DM_NAME" "$initdir/var"
 
-    # Create what will eventually be our root filesystem onto an overlay
-    (
-        LOG_LEVEL=5
-        # shellcheck source=/dev/null
-        source <(udevadm info --export --query=env --name=/dev/mapper/varcrypt)
-        # shellcheck source=/dev/null
-        source <(udevadm info --export --query=env --name="${LOOPDEV}p2")
+    LOG_LEVEL=5
 
-        setup_basic_environment
-        mask_supporting_services
+    setup_basic_environment
+    mask_supporting_services
 
-        install_dmevent
-        generate_module_dependencies
-        cat >"$initdir/etc/crypttab" <<EOF
-$DM_NAME UUID=$ID_FS_UUID /etc/varkey
-EOF
-        echo -n test >"$initdir/etc/varkey"
-        ddebug <"$initdir/etc/crypttab"
+    install_dmevent
+    generate_module_dependencies
 
-        cat >>"$initdir/etc/fstab" <<EOF
-/dev/mapper/varcrypt    /var    ext4    defaults 0 1
+    # Create a keydev
+    dd if=/dev/zero of="${STATEDIR:?}/keydev.img" bs=1M count=16
+    mkfs.ext4 -L varcrypt_keydev "$STATEDIR/keydev.img"
+    mkdir -p "$STATEDIR/keydev"
+    mount "$STATEDIR/keydev.img" "$STATEDIR/keydev"
+    echo -n test >"$STATEDIR/keydev/keyfile"
+    umount "$STATEDIR/keydev"
+
+    cat >>"$initdir/etc/fstab" <<EOF
+/dev/mapper/$DM_NAME    /var    ext4    defaults 0 1
 EOF
 
-        # Forward journal messages to the console, so we have something
-        # to investigate even if we fail to mount the encrypted /var
-        echo ForwardToConsole=yes >> "$initdir/etc/systemd/journald.conf"
-    )
+    # Forward journal messages to the console, so we have something
+    # to investigate even if we fail to mount the encrypted /var
+    echo ForwardToConsole=yes >> "$initdir/etc/systemd/journald.conf"
+
+    # If $INITRD wasn't provided explicitly, generate a custom one with dm-crypt
+    # support
+    if [[ -z "$INITRD" ]]; then
+        INITRD="${TESTDIR:?}/initrd.img"
+        dinfo "Generating a custom initrd with dm-crypt support in '${INITRD:?}'"
+
+        if command -v dracut >/dev/null; then
+            dracut --force --verbose --add crypt "$INITRD"
+        elif command -v mkinitcpio >/dev/null; then
+            mkinitcpio --addhooks sd-encrypt --generate "$INITRD"
+        elif command -v mkinitramfs >/dev/null; then
+            # The cryptroot hook is provided by the cryptsetup-initramfs package
+            if ! dpkg-query -s cryptsetup-initramfs; then
+                derror "Missing 'cryptsetup-initramfs' package for dm-crypt support in initrd"
+                return 1
+            fi
+
+            mkinitramfs -o "$INITRD"
+        else
+            dfatal "Unrecognized initrd generator, can't continue"
+            return 1
+        fi
+    fi
 }
 
 cleanup_root_var() {
     ddebug "umount ${initdir:?}/var"
     mountpoint "$initdir/var" && umount "$initdir/var"
-    [[ -b /dev/mapper/varcrypt ]] && cryptsetup luksClose /dev/mapper/varcrypt
+    [[ -b "/dev/mapper/${DM_NAME:?}" ]] && cryptsetup luksClose "/dev/mapper/$DM_NAME"
 }
 
 test_cleanup() {
diff --git a/test/test-functions b/test/test-functions
index 06a06e706a..daed481a29 100644
--- a/test/test-functions
+++ b/test/test-functions
@@ -337,6 +337,11 @@ qemu_min_version() {
 # Return 0 if qemu did run (then you must check the result state/logs for actual
 # success), or 1 if qemu is not available.
 run_qemu() {
+    # If the test provided its own initrd, use it (e.g. TEST-24)
+    if [[ -z "$INITRD" && -f "${TESTDIR:?}/initrd.img" ]]; then
+        INITRD="$TESTDIR/initrd.img"
+    fi
+
     if [ -f /etc/machine-id ]; then
         read -r MACHINE_ID </etc/machine-id
         [ -z "$INITRD" ] && [ -e "$EFI_MOUNT/$MACHINE_ID/$KERNEL_VER/initrd" ] \