In this post, I will show you how to rotate FileVault recovery keys for macOS devices in Intune. Intune allows administrators to rotate the FileVault Recovery Key to protect user data, files, and vital information on the device.

One reason to rotate a FileVault key is if the current personal key is lost or thought to be at risk. This also ensures that the same or old recovery key cannot be used again. As a security measure, you must constantly change the FileVault password periodically to mitigate the security risk of deployed devices.

You can rotate the macOS FileVault recovery key after you have enabled FileVault with Intune. I will also demonstrate how users can retrieve the recovery key when required. Also, see how to rotate the local administrator password on Windows devices in Intune.

Install and Update Third Party Applications with Patch My PC
Install and Update Third Party Applications with Patch My PC

Automatic vs Manual rotation of FileVault recovery keys

Intune supports both automatic rotation and manual rotation of macOS FileVault recovery keys. However, let’s understand the differences between these methods.

  • Automatic rotation: With automatic rotation, you can configure the FileVault setting Personal recovery key rotation to automatically generate new recovery key’s periodically. When a new key is generated for a device, the key isn’t displayed to the user. The user must instead obtain the key via the company portal app or from an administrator.
  • Manual rotation: With manual rotation, you can view information for a device that you manage with Intune and that’s encrypted with FileVault. You can then manually choose to rotate the recovery key for corporate devices. However, you can’t rotate recovery keys for personal devices.

Note: The administrators can’t view personal recovery keys for devices that are encrypted with FileVault.

Method 1: Automatically Rotate FileVault Recovery Keys

The Personal recovery key rotation setting in Intune determines how frequently the personal recovery key for the devices will rotate. The personal recovery key rotation can be configured under Device configuration > Profiles > Endpoint protection > FileVault.

The personal recovery key rotation value must be specified in months. The minimum duration to rotate recovery key is 1 month and the maximum duration is 12 months.

Automatically Rotate FileVault Recovery Keys
Automatically Rotate FileVault Recovery Keys

Method 2: Manually Rotate FileVault Recovery Key

To manually rotate the FileVault personal recovery key in the Intune admin center:

  • Sign in to the Microsoft Intune admin center.
  • Go to Devices > macOS.
  • From the list of devices, select the macOS device that is encrypted and select Rotate FileVault Recovery Key.
Manually Rotate FileVault Recovery Key in Intune
Manually Rotate FileVault Recovery Key in Intune

The following message appears: “Are you sure you’d like to rotate the FileVault recovery key for this device? This will rotate the FileVault personal recovery key for this device immediately.” Click Yes to confirm the key rotation.

Manually Rotate FileVault Recovery Key in Intune
Manually Rotate FileVault Recovery Key in Intune

The next time the device checks in with Intune, the personal key is rotated. In the Intune admin center, you see a notification “Rotate FileVault recovery key initiated.” The status message shows that the Rotate FileVault recovery key is pending…

Manually Rotate macOS FileVault Recovery Key in Intune
Rotate macOS FileVault Recovery Key Pending

After a few minutes, you will see the status changed to Rotate FileVault recovery key: Completed. This confirms that the recovery key is successfully rotated on the remote Mac device through Intune.

Manually Rotate macOS FileVault Recovery Key in Intune
Rotate macOS FileVault Recovery Key Completed

Method 3: Rotate FileVault recovery key in Intune admin center

Here’s another way to change the recovery key for Mac devices in Intune.

  1. Sign in to the Microsoft Intune admin center.
  2. Select Devices > All Devices.
  3. From the list of devices, select the device that is encrypted and for which you want to rotate its key. Then, under Monitor, select Recovery Keys.
  4. On the Recovery Keys pane, select Rotate FileVault recovery key.
Rotate FileVault recovery key in Intune admin center
Rotate FileVault recovery key in Intune admin center

How to Recover FileVault Recovery keys

End-users use the Company Portal website from any device to view the current personal recovery key for any of their managed devices. This can be achieved with two methods and I have demonstrated both of them in the below section.

Company Portal Website

Follow the below steps to view a recovery key on Mac:

Step 1: Sign in to the Intune Company Portal website from any device. In the portal, go to Devices and select the macOS device that is encrypted with FileVault.

Get FileVault Recovery key using Company Portal Website
Get FileVault Recovery key using Company Portal Website

Step 2: Under Device Encryption, select Get recovery key.

Get FileVault Recovery key using Company Portal Website
Get FileVault Recovery key using Company Portal Website

Step 3: The current recovery key is displayed on the screen for the Mac device. You can copy and enter this 24-digit code into the FileVault recovery screen on your computer.

Get FileVault Recovery key using Company Portal Website
Get FileVault Recovery key using Company Portal Website

    Company Portal App

    The option to view the recovery key also appears in the company portal app on Mac device however it will still use the company portal website to access the key. Here is the method that I tried to view the recovery key from the company portal app on my Mac device.

    Launch the company portal app on your Mac device. On the Devices tab, scroll-down and under Device Encryption, select Get Recovery Key.

    Get Recovery Key from macOS Company Portal app
    Get Recovery Key from macOS Company Portal app

    A browser opens, and the user has to sign in and complete the authentication. Once that is completed, the recovery key is displayed.

    Get Recovery Key from macOS Company Portal app
    Get Recovery Key from macOS Company Portal app

    Still Need Help?

    If you need further assistance on the above article or want to discuss other technical issues, check out some of these options.

    Prajwal Desai

    Prajwal Desai is a technology expert and 10 time Dual Microsoft MVP (Most Valuable Professional) with a focus on Microsoft Intune, SCCM, Windows 365, Enterprise Mobility, and Windows. He is a renowned author, speaker, & community leader, known for sharing his expertise & knowledge through his blog, YouTube, conferences, webinars etc.