windows 11 pro bitlocker policy applied but encryption stays off and Recovery key is missingSolved

Hi @jennifer,

When a BitLocker policy is deployed to a Windows device, it initiates the configuration on the endpoint, but depending on how the policy is set up, the user may still need to accept the BitLocker prompt directly on the device before encryption is fully enabled and the recovery key is escrowed.

If you want to trigger the encryption from the Hexnode portal, you can use the Force BitLocker Encryption remote action. If this action is grayed out and asking for a fallback password, it is because the action requires those recovery details to be configured before it can proceed.

To ensure silent encryption without requiring a startup PIN on every reboot, make sure your BitLocker policy is set to use TPM-based protection instead of a startup PIN-based configuration.

Please let me know if you run into any further encryption or policy snags with your new Windows deployments!

Best regards,
Eden Pierce
Hexnode UEM

Hi @jennifer,

No, the fallback password is not a standard startup password prompt. It is strictly used as part of the BitLocker recovery and fallback configuration.

As long as you configure the policy to use TPM-based protection without a startup PIN requirement, users will not have to enter anything during a normal boot. Once BitLocker is successfully enabled, the recovery key will be securely escrowed in the portal. Please note that Hexnode cannot retrieve the fallback password once set, so ensure you record it securely at the time of execution.

If the older devices encrypted seamlessly with the same policy, they likely either had the necessary TPM and fallback settings already in place when the Force BitLocker Encryption action was executed, or the users simply accepted the required BitLocker prompt on the device sooner. You can verify exactly what was used on your older devices by checking their Action History and looking for the specific Force BitLocker command to see the TPM PIN or fallback password details provided at that time.

As a quick summary for your future enrollments:

• Policy association starts the setup, but may still require user confirmation on the device.
• Use the Force BitLocker Encryption action to trigger encryption remotely.
• Use TPM-based protection to ensure silent startups without PIN prompts.
• Check the Action History to review any configured fallback passwords.

Please let me know if you run into any more encryption snags with your newer Windows deployments!

Best regards,
Eden Pierce
Hexnode UEM