Sometimes, making particular security design decisions can have unexpected consequences. For security-critical software, such as password managers, this can easily lead to catastrophic failure: In this blog post, we show how Bitwarden’s Windows Hello …
So if I understand correctly, if the user had enabled Windows Hello, then there is an (intended) "backdoor" access to Hello credentials by the Domain Admin?
And this has now been resolved by Bitwarden because Microsoft says it was intended behavior.