If you are mainly concerned with security, you will quickly come into contact with the topic of device management. Microsoft Endpoint Manager (formerly Intune) is a cloud-based management solution with which macOS-based devices can be managed.
One of the first and most common tasks when implementing Device Management is to enable disk encryption - for macOS FileVault - by means of policy. The next time you restart your mac system, FileVault will automatically activate and the recovery key will be saved in Microsoft Endpoint Manager / Intune. This process is also called FileVault Recovery Key Escrow called. The FileVault Recovery Key can then be retrieved via the device profile in Microsoft Endpoint Manager / Intune.
If FileVault was already active on the macOS device, the recovery key is not displayed. The reason for this is that the recovery key is only deposited with the escrow provider during a rotation. However, applying the FileVault policy will not trigger a rotation.
So we have the option of waiting for the next rotation to occur (configured in the FileVault policy) or we can do it ourselves. In the Endpoint Manager, however, the rotation can only be initiated manually if a recovery key is stored. If it is not, we must perform the rotation on the macOS device itself.
With these steps you solve the problem:
- Open the terminal with a user who has administrator privileges
- Execute the following command:
sudo fdesetup changerecovery -personal
- Enter the password of the currently logged in user
- Enter the user name of the currently logged in user
- Re-enter the password of the currently logged in user
- The new FileVault Recovery Key is displayed and automatically saved in Endpoint Manager