Skip to content
  • There are no suggestions because the search field is empty.

macOS Foundation - FileVault Settings and Key Escrow

Overview

This policy configures FileVault settings to ensure that 
- FileVault disk encryption is enabled, and cannot be disabled
- The FileVault recovery key is escrowed to Intune

User Experience

    Macs that enrol via ABM profile will have FileVault enabled during Setup Assistant.

    Macs that do not enable FileVault during Setup Assistant will do so during the first login post-enrolment.  
    The logged in user must be a local computer admin and must have a secure token for FileVault to be enabled. Once enabled, the user can be demoted to non-admin without issue.

    The FileVault recovery key is automatically escrowed to Intune.

    Pre-requisites 

    macOS 15+

    Troubleshooting Notes

    The user account created during Setup Assistant is automatically assigned a secure token. Accounts created programmatically only acquire a secure token during their first interactive login.
    Secure token status can be looked up in Terminal with sysadminctl -secureTokenStatus <username>

    What is being deployed

    Policy Name

    macOS Foundation - FileVault Settings and Key Escrow

    Recommended Assignment Targets

     All Devices, exclude Shared Devices

    Policy Settings

    Setting

    Description

    Value

    Defer Enablement

    If true, defers FileVault enablement instead of enforcing immediately

    true

    Don’t Ask at Logout

    If true, prevents prompting users to enable FileVault at logout

    true

    Max Bypass Attempts

    Maximum number of login bypass attempts before FileVault is forced

    0 (No bypass allowed)

    Enable

    If true, enables FileVault encryption

    true

    Force Enable in Setup Assistant

    If true, forces FileVault enablement during Setup Assistant

    true

    Recovery Key Rotation

    Frequency to rotate the FileVault recovery key

    Every 3 months

    Show Recovery Key

    If true, displays the recovery key to the end user

    false

    Use Recovery Key

    If true, enables the use of a personal recovery key

    true

    Prevent FileVault Disable

    If true, prevents users from disabling FileVault

    true

    Prevent FileVault Enable

    If true, prevents users from manually enabling FileVault.

    This setting is fairly redundant, but is required for CIS FileVault compliance.

    false

    Recovery Key Escrow Message

    Message shown explaining how to retrieve the recovery key

    To retrieve your key please visit https://portal.manage.microsoft.com/ and logon with your e-mail.