I queried her about that and she said that didn't happen.
She lied.
Not by intent of course, she simply doesn't know. But the fact of the matter is, Windows doesn't encrypt itself without a target to backup the recovery key. Note, this backup includes a USB storage disk! On which it's a text file... it doesn't have to be directed to the online account if it's manually triggered.
Regardless of HOW it happened the lack of the recovery key is the exact same outcome... the data is gone. There are some OEM (Dell / HP) systems that SHIP encrypted.... she may be in this circumstance. But it doesn't change the reality of where she is right now.
You can format the unit, reconfigure it without the data, and return it to service. You cannot recover the data.
Doesn't matter how long this thread gets.
Doesn't matter how much time you waste trying to get the customer to see reality.
Their data is gone, and it's gone because they didn't track their account details. Windows 11 badgers you into oblivion for an online account for a reason. Windows 10 behaves the exact same way on the same hardware. It's not your job to recover the details, just inform them of how it works, rebuild the unit, and help them just long enough to see the new installation's recovery key present in their MS account.
@YeOldeStonecat It's triggered when the hash of the actual EFI microcode changes. The OS sees the EFI as a foreign object, authentication is required. Updates to the Intel Management Engine, do not trigger this process, because the actual code booting the system doesn't change. There is no way to "make things more gentle", if you change the EFI code at all, the hash changes, and this process fires. Which is why the only safe way forward is to suspend bitlocker, or decrypt the disk before a BIOS update.