In this post, I will show you how to rotate FileVault recovery keys for macOS devices in Intune. Intune allows administrators to rotate the FileVault Recovery Key to protect user data, files, and vital information on the device.
One reason to rotate a FileVault key is if the current personal key is lost or thought to be at risk. This also ensures that the same or old recovery key cannot be used again. As a security measure, you must constantly change the FileVault password periodically to mitigate the security risk of deployed devices.
You can rotate the macOS FileVault recovery key after you have enabled FileVault with Intune. I will also demonstrate how users can retrieve the recovery key when required. Also, see how to rotate the local administrator password on Windows devices in Intune.
Automatic vs Manual rotation of FileVault recovery keys
Intune supports both automatic rotation and manual rotation of macOS FileVault recovery keys. However, let’s understand the differences between these methods.
- Automatic rotation: With automatic rotation, you can configure the FileVault setting Personal recovery key rotation to automatically generate new recovery key’s periodically. When a new key is generated for a device, the key isn’t displayed to the user. The user must instead obtain the key via the company portal app or from an administrator.
- Manual rotation: With manual rotation, you can view information for a device that you manage with Intune and that’s encrypted with FileVault. You can then manually choose to rotate the recovery key for corporate devices. However, you can’t rotate recovery keys for personal devices.
Note: The administrators can’t view personal recovery keys for devices that are encrypted with FileVault.
Method 1: Automatically Rotate FileVault Recovery Keys
The Personal recovery key rotation setting in Intune determines how frequently the personal recovery key for the devices will rotate. The personal recovery key rotation can be configured under Device configuration > Profiles > Endpoint protection > FileVault.
The personal recovery key rotation value must be specified in months. The minimum duration to rotate recovery key is 1 month and the maximum duration is 12 months.
Method 2: Manually Rotate FileVault Recovery Key
To manually rotate the FileVault personal recovery key in the Intune admin center:
- Sign in to the Microsoft Intune admin center.
- Go to Devices > macOS.
- From the list of devices, select the macOS device that is encrypted and select Rotate FileVault Recovery Key.
The following message appears: “Are you sure you’d like to rotate the FileVault recovery key for this device? This will rotate the FileVault personal recovery key for this device immediately.” Click Yes to confirm the key rotation.
The next time the device checks in with Intune, the personal key is rotated. In the Intune admin center, you see a notification “Rotate FileVault recovery key initiated.” The status message shows that the Rotate FileVault recovery key is pending…
After a few minutes, you will see the status changed to Rotate FileVault recovery key: Completed. This confirms that the recovery key is successfully rotated on the remote Mac device through Intune.
Method 3: Rotate FileVault recovery key in Intune admin center
Here’s another way to change the recovery key for Mac devices in Intune.
- Sign in to the Microsoft Intune admin center.
- Select Devices > All Devices.
- From the list of devices, select the device that is encrypted and for which you want to rotate its key. Then, under Monitor, select Recovery Keys.
- On the Recovery Keys pane, select Rotate FileVault recovery key.
How to Recover FileVault Recovery keys
End-users use the Company Portal website from any device to view the current personal recovery key for any of their managed devices. This can be achieved with two methods and I have demonstrated both of them in the below section.
Company Portal Website
Follow the below steps to view a recovery key on Mac:
Step 1: Sign in to the Intune Company Portal website from any device. In the portal, go to Devices and select the macOS device that is encrypted with FileVault.
Step 2: Under Device Encryption, select Get recovery key.
Step 3: The current recovery key is displayed on the screen for the Mac device. You can copy and enter this 24-digit code into the FileVault recovery screen on your computer.
Company Portal App
The option to view the recovery key also appears in the company portal app on Mac device however it will still use the company portal website to access the key. Here is the method that I tried to view the recovery key from the company portal app on my Mac device.
Launch the company portal app on your Mac device. On the Devices tab, scroll-down and under Device Encryption, select Get Recovery Key.
A browser opens, and the user has to sign in and complete the authentication. Once that is completed, the recovery key is displayed.
Still Need Help?
If you need further assistance on the above article or want to discuss other technical issues, check out some of these options.