We have a user's machine that's a BYOD and the join type is Azure AD registered
Recently it got locked by bitlocker after doing windows updates!
To troubleshoot I managed to find that their machine to appear in our Azure tenant along with the bitlocker key so I managed to obviously unlock the machine
I've looked at the endpoint manager (https://endpoint.microsoft.com/) but we don't have any policies in place. Additionally there's only a small handful of devices that appear there whereas if I look at the devices at AAD, there are thousands plus the bitlocker key!
My question is where in Azure is this enforced? Is it by default? If so is there documentation on it?