![Full Logo.png]](https://help.devicie.com/hs-fs/hubfs/Full%20Logo.png?height=30&name=Full%20Logo.png){kind=small}
macOS Foundation - FileVault Settings and Key Escrow
Overview
This policy configures FileVault settings to ensure that
- FileVault disk encryption is enabled, and cannot be disabled
- The FileVault recovery key is escrowed to Intune
User Experience
Macs that enrol via ABM profile will have FileVault enabled during Setup Assistant.
Macs that do not enable FileVault during Setup Assistant will do so during the first login post-enrolment.
The logged in user must be a local computer admin and must have a secure token for FileVault to be enabled. Once enabled, the user can be demoted to non-admin without issue.
The FileVault recovery key is automatically escrowed to Intune.
Pre-requisites
macOS 15+
Troubleshooting Notes
The user account created during Setup Assistant is automatically assigned a secure token. Accounts created programmatically only acquire a secure token during their first interactive login.
Secure token status can be looked up in Terminal with sysadminctl -secureTokenStatus <username>
What is being deployed
Policy Name
macOS Foundation - FileVault Settings and Key Escrow
Recommended Assignment Targets
All Devices, exclude Shared Devices
Policy Settings
|
Setting |
Description |
Value |
|
|
If |
|
|
|
If |
|
|
|
Maximum number of login bypass attempts before FileVault is forced |
|
|
|
If |
|
|
|
If |
|
|
|
Frequency to rotate the FileVault recovery key |
|
|
|
If |
|
|
|
If |
|
|
|
If |
|
|
|
If This setting is fairly redundant, but is required for CIS FileVault compliance. |
|
|
|
Message shown explaining how to retrieve the recovery key |
|