We’re planning to enforce BitLocker on our managed Windows devices, but one concern we have is recovery key management. If a user gets locked out of their laptop, we want IT admins to be able to retrieve the BitLocker recovery key directly from Hexnode instead of maintaining keys manually somewhere else.
Does Hexnode support this workflow?
10 Views
Yes, Hexnode supports centralized BitLocker recovery key management for Windows devices enrolled through MDM, and it’s one of the more useful parts of managing BitLocker through UEM instead of configuring it manually.
While configuring the BitLocker policy:
Navigate to:
Policies > Windows > Security > BitLocker
Set the Recovery Password option to Required.
Make sure Escrow Recovery Password to Hexnode is enabled.
Once this is configured, the recovery key generated on the device will automatically be stored securely in the Hexnode portal after encryption is enabled.
You can also configure additional options like recovery key rotation after usage, which helps ensure older recovery keys become invalid once used.
To check whether a device has been encrypted:
Navigate to Manage > Devices.
Open the required device.
Go to the Security tab.
You’ll be able to see the BitLocker status and encryption details there.
If a user gets locked out of their device:
Open the device details page.
Navigate to the Device Summary section.
Under Hardware Info > Drive, you can view the BitLocker recovery password.
This makes recovery much easier for IT teams since there’s no need to maintain spreadsheets or manually collect recovery keys from end users.
One recommendation before rolling this out widely is to test the policy on a smaller pilot group first. That helps verify TPM compatibility and ensures encryption behaves as expected across different device models.
Don't have an account? Sign up
