{"id":2403,"date":"2020-12-02T22:00:49","date_gmt":"2020-12-02T21:00:49","guid":{"rendered":"https:\/\/azuregeek.io\/?p=2403"},"modified":"2021-01-22T00:30:43","modified_gmt":"2021-01-21T23:30:43","slug":"intune-macos-filevault-recovery-key-missing","status":"publish","type":"post","link":"https:\/\/azuregeek.io\/en\/intune-macos-filevault-recovery-key-missing\/","title":{"rendered":"Intune: macOS FileVault Recovery Key missing"},"content":{"rendered":"
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

If you are mainly concerned with security, you will quickly come into contact with the topic of device management. Microsoft Endpoint Manager (formerly Intune) is a cloud-based management solution with which macOS-based devices can be managed.<\/p>\n

One of the first and most common tasks when implementing Device Management is to enable disk encryption - for macOS FileVault<\/i> - by means of policy. The next time you restart your mac system, FileVault will automatically activate and the recovery key will be saved in Microsoft Endpoint Manager \/ Intune. This process is also called FileVault Recovery Key Escrow<\/i> called. The FileVault Recovery Key can then be retrieved via the device profile in Microsoft Endpoint Manager \/ Intune.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"\"\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

If FileVault was already active on the macOS device, the recovery key is not displayed. The reason for this is that the recovery key is only deposited with the escrow provider during a rotation. However, applying the FileVault policy will not trigger a rotation.\u00a0<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"\"\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

So we have the option of waiting for the next rotation to occur (configured in the FileVault policy) or we can do it ourselves. In the Endpoint Manager, however, the rotation can only be initiated manually if a recovery key is stored. If it is not, we must perform the rotation on the macOS device itself.\u00a0<\/p>\n

With these steps you solve the problem:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t
\n\t\t\t
\n\t\t\t<\/i>\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t
  1. Open the terminal with a user who has administrator privileges<\/li>
  2. Execute the following command:
    sudo fdesetup changerecovery -personal<\/em><\/blockquote><\/li>
  3. Enter the password of the currently logged in user<\/li>
  4. Enter the user name of the currently logged in user<\/li>
  5. Re-enter the password of the currently logged in user<\/li>
  6. The new FileVault Recovery Key is displayed and automatically saved in Endpoint Manager<\/li><\/ol>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
    \n\t\t\t\t\t\t
    \n\t\t\t\t\t
    \n\t\t\t
    \n\t\t\t\t\t\t
    \n\t\t\t\t
    \n\t\t\t\t\t\t\t\t\tI hope this blog post has been helpful to you and I look forward to your comment! Sign up for my newsletter on the right to not miss any new posts about Azure Security and Automation \ud83d\ude00\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>","protected":false},"excerpt":{"rendered":"

    You are using Microsoft Endpoint Manager (formerly Intune) for device management of macOS devices and you don't see a FileVault recovery key? In this post I'll show you how to make the recovery \"visible\" in Intune!<\/p>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[28],"tags":[],"_links":{"self":[{"href":"https:\/\/azuregeek.io\/en\/wp-json\/wp\/v2\/posts\/2403"}],"collection":[{"href":"https:\/\/azuregeek.io\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/azuregeek.io\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/azuregeek.io\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/azuregeek.io\/en\/wp-json\/wp\/v2\/comments?post=2403"}],"version-history":[{"count":50,"href":"https:\/\/azuregeek.io\/en\/wp-json\/wp\/v2\/posts\/2403\/revisions"}],"predecessor-version":[{"id":2684,"href":"https:\/\/azuregeek.io\/en\/wp-json\/wp\/v2\/posts\/2403\/revisions\/2684"}],"wp:attachment":[{"href":"https:\/\/azuregeek.io\/en\/wp-json\/wp\/v2\/media?parent=2403"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/azuregeek.io\/en\/wp-json\/wp\/v2\/categories?post=2403"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/azuregeek.io\/en\/wp-json\/wp\/v2\/tags?post=2403"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}