They really should (no joke). That's how recovery works when you manage lots of devices. And I wouldn't be surprised if they can do that with Linux already via Intune.

Full disk-encryption doesn't mean your encryption key never leaves the device. Matter of fact, there is no point in FDE if the key is readily accessible pre-boot on the device. And no mature key management system relies on users remembering credentials as the end-all-be-all. Even login credentials have recovery mechanisms. With FDE, that is the recovery mechanism.

It helps with locking out disks after a device is lost/stolen. it also helps when the hardware is fried and you have important data that needs recovery. Imagine that but you have 100k devices to manage that way. Are you going to rely on a revolving-door of 100k+ employees to manage that credential? And I'm sure it's stored on disk encrypted in their DB, but eventually the unencrypted credential is needed. Block-ciphers ultimately need the plain-text secret provided to them to function, regardless of what complex systems you use, the ciphers need the same deterministic secret.

Ultimately this isn't any worse than being able to go to their website and have a recovery link sent to your email, except instead of the whole send email part, you have to be an authorized admin or owner in their portal, and you just get it from there. Pre-boot, there is no networking or internet, even things like correct time information can't be guaranteed, for more complex systems.

LUKS supports multiple decryption methods so you could for example add one with a really long string or a yubikey as a backup. Most folks replying here aren't encrypting anything at all.