Posting this in case anyone else gets stuck with the same problem.

Preface: Bitlocker is now an automatic occurrence if you have “Modern Standby” or HSTI-compliant hardware & sign in to a Microsoft account or Azure Active Directory account. This includes Office 365 accounts too, & even if you’re signed in as a local Windows 10 user. 

What happened: My client uses 2 laptops (3 actually but 2 for this story). He runs several complementary businesses but likes to keep the information physically separated. Nothing special, a late model Toshiba Satellite & HP Probook G4 that both get well used & lightly abused.

The Toshiba decided it had had enough & was not his friend any more. After a week on standby in his backpack, with very little battery power remaining anyway, it wouldn’t do anything. No power indicator lights even when attempting to charge. Urgency was a factor here, he needed some data from the Toshiba that hadn’t had the opportunity to back up via his LAN (he was off site when he used it).

With no obvious quick fix & him needing the data held on the Satellite, I proposed an efficient rationalisation - he (nor anyone who is not a psychopath) doesn’t use the ProBook DVD drive, so let’s replace the ODD with a hard drive caddy. We’ll slot the Toshiba SSD in that & you can now have your 2 separate systems in one laptop - dual booting to whichever version you require. On the face of it, a reasonably clever solution - what could possibly go wrong? Lots, because Microsoft is involved. 

PB had the caddy, well overpriced when compared to Trademe, but time was of the essence. Install only took a few minutes. The Toshiba drive was MBR boot, HP was GPT so I used a Windows PE USB drive & the excellent, time saving MBR2GPT command line tool. Done in 2 minutes, easy.

At this point, both drives (SSD ex Toshiba & the HP’s NVMe) are visible & accessible in PE Explorer, no Bitlocker encryption in place, indicated or hinted at. Or even thought about, honestly. I hadn’t set it up on any of the company devices at any stage, so had no reason to include it in my thought process. 

Reboot, remove the WinPE USB, hold F9 to select the boot drive. Choose the original HP NVMe & everything is sweet. Reboot, F9, choose the SSD ex Toshiba. After a couple of minutes sorting driver files & Windows updates, we’re all good. No problems at all. Time to show the client how to do this so I shut the HP down & called my client in. 

Reboot to original HP, no problem, ProBook as it ever was. Ok, reboot & hold F9, select the Toshiba drive. Blue screen Bitlocker page - enter the Bitlocker key to access this drive. Eh? Where did that come from? Did you set Bitlocker encryption on this? I knew he hadn’t, nor would he. Hmm, embarrassing.

Reboot back to the HP system - yeah, you guessed it, Bitlocker key required. So now I’ve gone from one dead laptop but with easily accessible data to both systems having totally inaccessible information via Bitlocker encryption, FFS. 

The official Microsoft guide tells you what you must have done with the Bitlocker keys when they were created - none of which happened. His OneDrive storage did not hold any Bitlocker information at all. Neither did the entire company 365 storage, nor his office backup NAS. He hadn’t set Bitlocker, hadn’t asked for it, hadn’t nothing Bitlocker. None of that mattered, what mattered was his urgently required data for both laptops that was being obfuscated by Bitlocker. 

I was sidetracked for a while because encrypting hard drives - when you manually invoke Bitlocker - takes some time. In this case, there wasn’t any warning or indication of anything happening & there simply wasn’t time for either drive to be encrypted. I rebooted WinPE holding my breath but there was no miracle waiting there. Nor was there any reprieve by using the built-in Win10 recovery options on either drive. The message was firmly “Bitlocker keys or die”. 

Particularly Microsoft knowledgebase & online support I find frustrating & counter-intuitive. The set answer to an enquiry is often a link to page that’s been moved - why don’t you just copy/paste the damn answer instead of run the risk of posting a link that can fail? Anyway, after hours of research, which included finding this automatic Bitlocker invocation but discounting it because he uses local Windows user accounts, I found fragments of information that led me to the answer. 

The Admin account for his company Office 365 had been signed into from both his machines (through browser, not Windows user accounts). The laptops were both allocated as 365 approved devices for the company account - hooray Microsoft, glad you did that, mind you, if you hadn’t he’d have cancelled 365 - no point paying for it if you can’t use it.

But there, in the Office 365 Administrator console, under Devices, is a sub-category entitled Bitlocker Keys. Which is where Microsoft automatically store your automatically-created Bitlocker keys when they automatically encrypt your drives. What a relief. I unlocked the drives & we now have the efficient dual booting system that was originally proposed.

You’d think that with all this time-saving automation going on, that they might just be able to drop you a note “BTW, we locked your data so no-one can access it unless they meet our standards. This includes you. Just in case there’s any drama, your unlock keys are kept here.” But no, nothing of the sort. There was no response to a search for Bitlocker in any of his company data at all. 

I considered it a combination of tenacity & luck that I managed to find the store. Signing in to Windows as his 365 admin user gave an empty OneDrive storage - the keys weren’t there even though that’s where Microsoft say “you must have stored them”. The information that led me to the Admin console storage wasn’t obvious nor front page of Google stuff. 

So while I realise that the combination of events that created this situation was slightly rare, it’s also far from unique & probably reproducible under many different circumstances. If you’re stuck looking for phantom Bitlocker Keys for a computer that’s associated to an Office 365 account, you can find them in the Admin console under Devices / Bitlocker Keys.