Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The rotate FileVault recovery key remote action in Microsoft Intune allows IT admins to manually generate a new personal recovery key for a macOS device encrypted with FileVault.
This action is useful when the current key is lost, potentially exposed, or needs to be refreshed for compliance or support reasons.
Requirements
Platform requirements
This remote action supports the following platforms:
- macOS (corporate-owned)
Device configuration requirements
To use this remote action, make sure devices meet the following requirements:
- Are encrypted with FileVault using an Intune disk encryption policy.
- Have the FileVaultpersonal recovery key escrowed to Intune.
For more information, see Use FileVault disk encryption for macOS with Intune.
Role and permission requirements
To run this remote action, use an account with at least one of the following roles:
- Help Desk Operator
- Endpoint Security Manager
- Custom role that includes:
- The permission Remote tasks/Rotate filevault key
- Permissions that provide visibility into and access to managed devices in Intune (for example, Organization/Read, Managed devices/Read)
How to rotate BitLocker keys from the Intune admin center
- In the Microsoft Intune admin center, select Devices > All devices.
- From the devices list, select a device.
- At the top of the device overview pane, find the row of remote action icons. Select Rotate FileVault recovery key.
- Select Yes to confirm the action.
Reference links
- Microsoft Graph API: rotateFileVaultKey action