Short version: Windows Hello and AD failed as designed. The domain controller can recover secrets “protected with biometrics”. The DC was compromised in the scenario.

Bitwarden implements biometrics now differently on Windows, keeping the domain controller out of the loop.