[sys42590]

Recently I wiped the contents of the Trusted Platform Module of a laptop. Now the laptop failed to boot as the Bitlocker key was not stored in the TPM anymore.

To my surprise it was possible to get a code from Microsoft to access the laptop's disk again, as one of the admin accounts was a Microsoft account.

I strongly suspect, Microsoft does only activate Bitlocker during the OOBE if it can set-up this kind of Bitlocker recovery mechanism, storing an (indirect) decryption key at Microsoft.

[gnabgib]

This is literally documented[0] and reported to you when setting up bitlocker[1]/creating a user account[2].

[0]: https://support.microsoft.com/en-us/windows/finding-your-bit... [1]: https://www.windowspro.de/sites/windowspro.de/files/imagepic... [2]: https://www.anoopcnair.com/wp-content/uploads/2019/11/switch...

[Genbox]

It is the primary failsafe for Microsoft 365 accounts to store the BitLocker recovery key with your Microsoft account. The other failsafes are printing the key or storing it on an external device.

One can easily obtain the recovery key on a system by doing "manage-bde -protectors -get c:" in an admin command prompt. This is not a vulnerability, it is by design.