Re: What's wrong with that, Microsoft...?
"[T]ens of thousands of Windows desktops" with BitLocker deployed?
Are you sure that's a real scenario?
Even if it is, shouldn't something be worked out using AD instead of storing cleartext decryption keys on the local machine...? Or, if that's impossible, for whatever reason, shouldn't enabling this "feature" require an admin flipping something in a GPO or something? Some sort of opt-in? If all of that is impossible, shouldn't this be well-documented by Microsoft, to let people know that there's this tiny security hole they should consider?
This is not a bug. This is a "feature" of a security system that completely and totally obliterates it, in certain scenarios. It didn't happen by accident. Someone sat down and engineered this. And any number of other people signed off on it.
I, personally, would be very happy to see all of them fired.