Comment by bri3d

The OOBE (out of box experience) uploads the key by default (it tells you it’s doing it, but it’s a bit challenging to figure out how to avoid it) but any other setup method specifically asks where to back up your key, and you can choose not to. The way to avoid enrollment is to enable Bitlocker later than OOBE.

I really think that enabling BitLocker with an escrowed key during OOBE is the right choice, the protection to risk balance for a “normal” user is good. Power users who are worried about government compulsion can still set up their system to be more hardened.