I would like to know where Bitlocker is enabled in Intune.

In Microsoft Intune, BitLocker is not automatically enabled by default in Autopilot. However, it can be enabled through Intune policies during or after the Autopilot process. The situation you are describing, where the BitLocker recovery key appears in Intune even though disk encryption isn't explicitly managed, typically occurs because of built-in security features in Windows.

Here’s how it might be happening:

Autopilot and Windows Settings: When you set up a device with Windows Autopilot, Windows might enable BitLocker automatically based on the device’s configuration, especially if the version of Windows supports it. Windows 10/11 automatically enables BitLocker during Out-of-Box-Experience (OOBE) on devices that meet specific hardware requirements (like having TPM).

MDM Policies: Even though disk encryption isn't explicitly set in Intune, Windows has its default encryption policies that apply if the device is compliant with TPM requirements. Additionally, Intune may enforce encryption through a security baseline or compliance policy, even without a specific disk encryption policy being listed under "Manage Disk Encryption."

Windows Configuration: Starting with Windows 10 version 1803, BitLocker can be automatically enabled on capable devices if they are part of an organization’s Azure Active Directory (AAD). This can happen without a specific BitLocker policy in Intune if there is an overall security baseline or compliance policy requiring encryption.

BitLocker via Compliance or Security Baseline: Check the Security Baselines and Compliance Policies in Intune. There may be a baseline or compliance setting enforcing BitLocker without it being a standalone setting.

Thus, while Autopilot doesn't inherently enable BitLocker, it might appear to do so due to automatic encryption based on the hardware and compliance policies applied during enrollment. To verify, review the security baseline and compliance policies applied to the device in Intune.