Tuesday, November 2, 2021

Known Issue: FileVault recovery key rotation failing on macOS devices

We were recently alerted that some devices are failing to rotate their FileVault recovery key. There are three paths to rotating the FileVault recovery key for macOS in the Microsoft Endpoint Manager admin center : Using the ‘Rotate FileVault recovery key’ device action, uploading a recovery key to the Company Portal website, or using the ‘Personal recovery key rotation’ setting. If you're experiencing issues with any of these methods, users can manually rotate and store their recovery key by running this command line tool with their password:

 

sudo fdesetup changerecovery –personal

 

 

More details on each scenario below.

Use ‘Rotate FileVault recovery key’ device action

The ‘Rotate FileVault recovery key’ device action is found under Devices > [select device] > Overview.

 

A macOS device in the Microsoft Endpoint Manager admin center - Devices blade.A macOS device in the Microsoft Endpoint Manager admin center - Devices blade.

 

The following error may occur after selecting this action:

 

Example screenshot of a failed Rotate FileVault recovery key action on a macOS device in the Microsoft Endpoint Manager admin center.Example screenshot of a failed Rotate FileVault recovery key action on a macOS device in the Microsoft Endpoint Manager admin center.

 

Upload FileVault recovery key to the Company Portal website

The FileVault recovery key can also be rotated when a user uploads their current recovery key to the Company Portal website. This is found under https://portal.manage.microsoft.com > Devices > [select device] > Store Recovery Key:

 

Store recovery key example from a macOS device in the Company Portal website.Store recovery key example from a macOS device in the Company Portal website.

 

After saving this, the following error may occur:

 

Example screenshot of a failed Rotate FileVault recovery key action on a macOS device on the Company Portal website.Example screenshot of a failed Rotate FileVault recovery key action on a macOS device on the Company Portal website.

 

As a result of this error, the key will not rotate and will still be valid; however, the key will not be stored in Intune until the command line tool provided above is run. The Company Portal will still contain the valid key.

 

Personal recovery key rotation setting

The ‘Personal recovery key rotation’ setting is configured under Device configuration - Profiles > Endpoint protection > FileVault:

 

Screenshot of a macOS Endpoint protection policy with FileVault policy settings enabled in the Microsoft Endpoint Manager admin center.Screenshot of a macOS Endpoint protection policy with FileVault policy settings enabled in the Microsoft Endpoint Manager admin center.

 

When a device is targeted by this profile and fails to rotate its recovery key, you’ll see the following error:

 

Example error in the Microsoft Endpoint Manager admin center when a macOS device fails to rotate its recovery key.Example error in the Microsoft Endpoint Manager admin center when a macOS device fails to rotate its recovery key.

 

When this error occurs, the recovery key will not rotate and will still be valid.

 

Apple is aware of the issue, but we don’t have any updates on timeline for any changes. As mentioned above, in the interim, users can manually rotate and store their recovery key by running this macOS command line tool with their password:

 

sudo fdesetup changerecovery –personal

 

 

User command line example when manually rotating and storing their recovery key on a macOS device.User command line example when manually rotating and storing their recovery key on a macOS device.

 

We will continue to update this post as new information becomes available. If you have questions or comments for the Intune team, reply to this post or reach out to @IntuneSuppTeam on Twitter.

Posted at https://sl.advdat.com/3bDNth3