In this post, I’ll show you multiple ways on how to rotate macOS FileVault recovery keys in Intune. If you’ve enabled FileVault with Intune, you can rotate keys whenever needed. Common reasons to rotate manually:
- Personal key is lost or compromised: If personal key is lost or compromised.
- Suspected exposure: the key was shared, emailed, pasted into a ticket, or otherwise revealed.
- Pre-Intune encryption: Device was already encrypted before you enabled FileVault with Intune; rotate to generate a new key and escrow it in Intune.
- Escrow or rotation issues: Intune shows no key or a scheduled rotation failed; force a manual rotation to fix and escrow the new key.
Similar to FileVault key rotation, I’ve also written a post on rotating the local administrator password on Windows. For details, see: 4 Ways To Rotate Local Admin Password Using Intune.
Contents
Automatic vs. Manual rotation of FileVault recovery keys
You can configure the rotation of keys automatic using macOS FileVault policy or manually by using Rotate FileVault recovery key option in Intune. Let’s get more information on automatic and manual key rotation.
- Automatic rotation: When you create a macOS FileVault policy in Intune, you can set a recovery key rotation schedule from 1 to 12 months. The recovery key will rotate automatically on that schedule. When a new key is generated, it isn’t shown to the user. They must retrieve it from an admin or via the Company Portal app.
- Manual rotation: You can manually rotate FileVault recovery keys in Intune by selecting Rotate FileVault recovery key on the device or by running a bulk action with Microsoft Graph. Manual rotation is available only for corporate devices; you can’t rotate recovery keys for personal devices.
Method 1: Automatic Rotation of FileVault Recovery Keys
As previously mentioned, automatic rotation of FileVault key can be set in the disk encryption FileVault policy. Below are the steps and guidance to configure automatic rotation of keys:
- Sign in to the Intune admin center > Endpoint security > Disk encryption > Create policy.
- Platform: macOS; Profile: macOS FileVault
On the Configuration settings page, set Recovery key rotation (months) to any value from 1 month to 12 months. In the screenshot below, I set it to 6 months. The key will then rotate automatically every 6 months, and the new key will be saved with the device object in Intune.
Method 2: Rotate FileVault Recovery Key Option Under Password and keys
- From Intune admin center > Devices > macOS.
- Click on a macOS device which has been encrypted > Click on Password and keys > Rotate FileVault recovery key.
Method 3: Rotate FileVault Recovery Key Option in Device Action Menu
You can also rotate FileVault Recovery Key using the device action menu.
- From Intune admin center > Devices > macOS.
- Click on a macOS device which has been encrypted. On the Overview page, select three dots (…) in the device action menu and select Rotate FileVault recovery key.
Where to find the FileVault Recovery Key?
There are many ways to get the FileVault recovery key. As a user, you can either open the Company portal website or open the Company portal app on your enrolled Mac device to retrieve the keys. Please note that administrator can’t view personal recovery keys for devices that are encrypted with FileVault.
Using Company Portal Website
- Sign in to the Intune Company Portal website on your managed Mac device. Click on the hamburger icon on the top left-hand side and select Devices.
- Select your device.
- Scroll down on the page and click on Get recovery key under Device encryption section.
Using Company Portal App
You can also use the Company portal app to get the filevault recovery keys. Let’s check the steps:
- Open the Company Portal App on your Mac device.
- Under Devices tab, select the device and scroll down on the page.
- Under Device encryption, click Get recovery key.
