@Cataster , To enable Bitlocker, we can turn on it on Operating System Drive or Fixed data drive. It seems we enable on both so we get the recovery key on both.
https://learn.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq
For multiple recovery key, based on my research, it may caused that the bitlocker process is interrupted in between either due to machine level issues like with TPM, or with the end user actions, the process starts again causing the service to generate multiple keys. If you have more question, you can open case with AAD or windows support to know it more.
https://learn.microsoft.com/en-us/answers/questions/504127/why-bitlocker-recovery-keys-generated-multiple-tim.html
In your description, I notice the device shows not compliant after we enable secure boot. Could you check if the user check in time has updated. If not, please go to the affected device, install company portal, open it , tap Device, select the device and under Device Status, click "check access" to see if the compliant status will be changed.
Hope it can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.