Home
%3CLINGO-SUB%20id%3D%22lingo-sub-788542%22%20slang%3D%22en-US%22%3EKnown%20issue%20for%20FileVault%20configuration%20profiles%20on%20macOS%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-788542%22%20slang%3D%22en-US%22%3E%3CP%3EWe%E2%80%99ve%20noticed%20an%20issue%20with%20a%20setting%20when%20configuringFileVault%20settings%20for%20macOS%20devices%20within%20Device%20Configuration.%20%3CSPAN%20data-contrast%3D%22auto%22%3EThis%20may%20cause%20FileVault%20profiles%20to%20not%20deploy%20as%20intended%20depending%20on%20how%20the%20settings%20are%20configured.%20W%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ee%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%99%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ere%20sharing%20a%20workaround%20%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ehere%20%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Euntil%20this%20is%20fixed%20in%20a%20future%20release.%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EWhen%20%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3EDisable%20prompt%20at%20sign%20out%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eis%20%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3ENot%20configured%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%2C%20the%20Number%20of%20times%20allowed%20to%20bypass%20can%20be%20set%20to%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eany%20value.%20Th%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ee%20screenshot%20below%20is%20a%20working%20scenario.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F125633iB1F0D799134BF3F3%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22fv1.png%22%20title%3D%22fv1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EWhen%20%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3EDisable%20prompt%20at%20sign%20out%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eis%20set%20to%20%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3EEnable%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%2C%20the%20%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3ENumber%20of%20times%20allowed%20to%20bypass%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3Emust%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ebe%20set%20to%20%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ea%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Evalue%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eother%20than%20%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3ENot%20configured%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%2C%20as%20shown%20in%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ethe%20%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Escreenshot%20below%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F125634i1CA5D3C6066C3A03%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22fv2.png%22%20title%3D%22fv2.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EThe%20scenario%20below%20will%20not%20work%20because%20%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3EDisable%20prompt%20at%20sign%20out%20%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eis%20%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ee%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Enabled%2C%20and%20%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3ENumber%20of%20times%20allowed%20to%20bypass%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eis%20set%20to%20%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3ENot%20configured%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%20The%20%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EFileVault%20%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eprofile%20will%20not%20be%20%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Edeployed%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eto%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Edevice%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Es%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eand%20reporting%20will%20show%20an%20error.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F125635i926C48E676E09DBE%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22fv3.png%22%20title%3D%22fv3.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EWe%E2%80%99ll%20update%20this%20post%20as%20this%20is%20fixed%20in%20the%20console%20in%20an%20upcoming%20release!%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-788542%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22TextRun%20%20BCX1%20SCXW84593872%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX1%20SCXW84593872%22%3EW%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20%20BCX1%20SCXW84593872%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX1%20SCXW84593872%22%3Ee%E2%80%99ve%20noticed%20an%20issue%20%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20%20BCX1%20SCXW84593872%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX1%20SCXW84593872%22%3Ewith%20%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20%20BCX1%20SCXW84593872%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX1%20SCXW84593872%22%3Ea%20%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20%20BCX1%20SCXW84593872%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX1%20SCXW84593872%22%3Esetting%20%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20%20BCX1%20SCXW84593872%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX1%20SCXW84593872%22%3Ew%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20%20BCX1%20SCXW84593872%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX1%20SCXW84593872%22%3Ehen%20configur%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20%20BCX1%20SCXW84593872%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX1%20SCXW84593872%22%3Eing%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20%20BCX1%20SCXW84593872%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX1%20SCXW84593872%22%3EFileVault%20settings%20%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20%20BCX1%20SCXW84593872%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX1%20SCXW84593872%22%3Efor%20%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20%20BCX1%20SCXW84593872%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX1%20SCXW84593872%22%3EmacOS%20%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20%20BCX1%20SCXW84593872%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX1%20SCXW84593872%22%3Edevices%20%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20%20BCX1%20SCXW84593872%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX1%20SCXW84593872%22%3Ewithin%20Device%20Configuration%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20%20BCX1%20SCXW84593872%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX1%20SCXW84593872%22%3E.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-788542%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eknown%20issue%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EmacOS%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-788993%22%20slang%3D%22en-US%22%3ERe%3A%20Known%20issue%20for%20FileVault%20configuration%20profiles%20on%20macOS%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-788993%22%20slang%3D%22en-US%22%3E%3CP%3EThanks.%20I%20was%20having%20this%20problem%20and%20it%20is%20solved%20with%20the%20bypass%20setting.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnother%20issue%20is%2C%20as%20I%20commented%20on%20the%20other%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FEnterprise-Mobility-Security%2FMicrosoft-Intune-announces-support-for-macOS-FileVault-disk%2Fbc-p%2F788942%22%20target%3D%22_self%22%3Eblog%20post%3C%2FA%3E%2C%20that%20when%20enabling%20FileVault%20the%20recovery%20key%20is%20shown%20to%20the%20user%20and%20they%20are%20instructed%20to%20%22keep%20it%20in%20a%20safe%20place.%22%20I%20do%20not%20want%20the%20user%20to%20store%20the%20recovery%20key%20anywhere%2C%20especially%20given%20some%20users%20will%20store%20it%20with%20the%20laptop.%20If%20the%20key%20is%20needed%20it%20should%20be%20retrieved%20from%20Intune.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20ask%20is%20that%20the%26nbsp%3B%3CSPAN%3EShowRecoveryKey%26nbsp%3BFileVault2%20payload%20option%20be%20made%20available%20in%20the%20Intune%20FileVault%20configuration%20profile%20so%20that%20it%20can%20be%20set%20to%20False%2C%20so%20that%20the%20recovery%20key%20will%20not%20be%20displayed%20to%20the%20user.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere%20is%20the%20relevant%20part%20from%20Apple's%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdeveloper.apple.com%2Fbusiness%2Fdocumentation%2FConfiguration-Profile-Reference.pdf%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ereference%3C%2FA%3E%3A%3C%2FP%3E%3CPRE%3E%3CSTRONG%3EShowRecoveryKey%3C%2FSTRONG%3E%3A%20Set%20to%20false%20to%20not%20display%20the%20personal%20recovery%20key%20to%20the%20user%20after%20FileVault%20is%20enabled.%20%3CSTRONG%3EDefaults%20to%20true.%3CBR%20%2F%3E%3C%2FSTRONG%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-790596%22%20slang%3D%22en-US%22%3ERe%3A%20Known%20issue%20for%20FileVault%20configuration%20profiles%20on%20macOS%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-790596%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F102496%22%20target%3D%22_blank%22%3E%40Max%20Manning%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3EOur%20PM%20Anya%20Novicheva%20had%20responded%20back%20to%20your%20comment%20in%20the%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FEnterprise-Mobility-Security%2FMicrosoft-Intune-announces-support-for-macOS-FileVault-disk%2Fba-p%2F770675%22%20target%3D%22_self%22%3EIntune%20macOS%20FileVault%20Announcement%3C%2FA%3Eblog%20that%20the%20current%20architecture%20allows%20various%20ways%20for%20the%20end%20user%20to%20access%20their%20recovery%20key%20including%20from%20the%20Intune%20web%20Company%20Portal.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20value%20your%20feedback!%20Can%20you%20elaborate%20on%20your%20feedback%20by%20posting%20an%20idea%20over%20at%20our%3A%20%3CA%20href%3D%22https%3A%2F%2Fmicrosoftintune.uservoice.com%2Fforums%2F291681-ideas%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EUserVoice%3C%2FA%3E%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-790740%22%20slang%3D%22en-US%22%3ERe%3A%20Known%20issue%20for%20FileVault%20configuration%20profiles%20on%20macOS%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-790740%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F226779%22%20target%3D%22_blank%22%3E%40Intune%20Support%20Team%3C%2FA%3E%26nbsp%3BYep%2C%20I%20was%20planning%20to%20open%20a%20UserVoice%20item%20for%20it%20today%20actually.%20FileVault%20and%20macOS%20are%20a%20niche%20area%20for%20Intune%20though%2C%20so%20I%20doubt%20it'll%20get%20much%20support.%20I%20submitted%20DCR%20138149908%20for%20it%20yesterday%20too.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-791020%22%20slang%3D%22en-US%22%3ERe%3A%20Known%20issue%20for%20FileVault%20configuration%20profiles%20on%20macOS%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-791020%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F226779%22%20target%3D%22_blank%22%3E%40Intune%20Support%20Team%3C%2FA%3E%26nbsp%3BHere's%20the%20UserVoice%20item%20I%20created%20for%20this%20feedback%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fmicrosoftintune.uservoice.com%2Fforums%2F291681-ideas%2Fsuggestions%2F38319730-add-option-to-set-macos-filevault-showrecoverykey%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmicrosoftintune.uservoice.com%2Fforums%2F291681-ideas%2Fsuggestions%2F38319730-add-option-to-set-macos-filevault-showrecoverykey%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-793078%22%20slang%3D%22en-US%22%3ERe%3A%20Known%20issue%20for%20FileVault%20configuration%20profiles%20on%20macOS%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-793078%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F226779%22%20target%3D%22_blank%22%3E%40Intune%20Support%20Team%3C%2FA%3E%26nbsp%3B%20in%20our%20organization%20we%20have%20it%20set%20like%20whats%20being%20mentioned%20here.%26nbsp%3B%20Most%20if%20not%20all%20were%20prompted%20to%20enable%20FileVault%20and%20complete%20the%20task.%26nbsp%3B%20So%20we%20now%20have%20several%20who%20are%20fully%20encrypted.%26nbsp%3B%20My%20question%20is%2C%20should%20we%20leave%20bypass%20as%20'Not%20Configured'%20or%20set%20it%20to%20'1'.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20see%20several%20errors%20in%20the%20state%20details%20and%20unsure%20if%20that%20is%20related.%26nbsp%3B%20%26nbsp%3B%20Also%2C%20by%20setting%20it%20from%20Not%20Configured%20to%201%20-%20would%20anyone%20who%20is%20already%20enabled%20by%20impacted.%3F%3F%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20619px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F126007iEE91394F763948FB%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%222019-08-07_9-30-39.jpg%22%20title%3D%222019-08-07_9-30-39.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-795831%22%20slang%3D%22en-US%22%3ERe%3A%20Known%20issue%20for%20FileVault%20configuration%20profiles%20on%20macOS%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-795831%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F43450%22%20target%3D%22_blank%22%3E%40Miguel%20Sanabia%3C%2FA%3E%26nbsp%3BThank%20you%20for%20your%20feedback!%20If%20this%20configuration%20worked%20for%20your%20devices%2C%20then%20I%20recommend%20leaving%20it%20as%20is.%20The%20error%20messages%20in%20the%20state%20details%20are%20most%20likely%20attributed%20to%20this%20configuration%20and%20the%20device%20giving%20Intune%20back%20an%20unknown%20error.%20If%20you%20change%20any%20of%20the%20setting%20configurations%2C%20such%20as%20changing%20the%20Not%20configured%20to%201%2C%20already%20encrypted%20devices%20will%20not%20be%20impacted.%20Your%20devices%20that%20were%20not%20fully%20encrypted%20will%20most%20likely%20become%20encrypted.%20In%20general%2C%20already%20encrypted%20devices%20will%20not%20be%20impacted%20by%20any%20of%20the%20settings%20in%20the%20profile%20changing%20configuration.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E

We’ve noticed an issue with a setting when configuring FileVault settings for macOS devices within Device Configuration. This may cause FileVault profiles to not deploy as intended depending on how the settings are configured. Were sharing a workaround here until this is fixed in a future release.  

 

When Disable prompt at sign out is Not configured, the Number of times allowed to bypass can be set to any value. The screenshot below is a working scenario.  

 

fv1.png

 

When Disable prompt at sign out is set to Enable, the Number of times allowed to bypass must be set to a value other than Not configured, as shown in the screenshot below.  

 

fv2.png

 

The scenario below will not work because Disable prompt at sign out is enabled, and Number of times allowed to bypass is set to Not configured. The FileVault profile will not be deployed to devices and reporting will show an error.  

 

fv3.png

We’ll update this post as this is fixed in the console in an upcoming release! 

 

6 Comments
Senior Member

Thanks. I was having this problem and it is solved with the bypass setting.

 

Another issue is, as I commented on the other blog post, that when enabling FileVault the recovery key is shown to the user and they are instructed to "keep it in a safe place." I do not want the user to store the recovery key anywhere, especially given some users will store it with the laptop. If the key is needed it should be retrieved from Intune.

 

My ask is that the ShowRecoveryKey FileVault2 payload option be made available in the Intune FileVault configuration profile so that it can be set to False, so that the recovery key will not be displayed to the user.

 

Here is the relevant part from Apple's reference:

ShowRecoveryKey: Set to false to not display the personal recovery key to the user after FileVault is enabled. Defaults to true.

 

Hi @Max Manning,

Our PM Anya Novicheva had responded back to your comment in the Intune macOS FileVault Announcement blog that the current architecture allows various ways for the end user to access their recovery key including from the Intune web Company Portal.

 

We value your feedback! Can you elaborate on your feedback by posting an idea over at our: UserVoice?

Senior Member

@Intune Support Team Yep, I was planning to open a UserVoice item for it today actually. FileVault and macOS are a niche area for Intune though, so I doubt it'll get much support. I submitted DCR 138149908 for it yesterday too.

Senior Member
New Contributor

@Intune Support Team  in our organization we have it set like whats being mentioned here.  Most if not all were prompted to enable FileVault and complete the task.  So we now have several who are fully encrypted.  My question is, should we leave bypass as 'Not Configured' or set it to '1'.

 

We see several errors in the state details and unsure if that is related.    Also, by setting it from Not Configured to 1 - would anyone who is already enabled by impacted.??

2019-08-07_9-30-39.jpg

Microsoft

@Miguel Sanabia Thank you for your feedback! If this configuration worked for your devices, then I recommend leaving it as is. The error messages in the state details are most likely attributed to this configuration and the device giving Intune back an unknown error. If you change any of the setting configurations, such as changing the Not configured to 1, already encrypted devices will not be impacted. Your devices that were not fully encrypted will most likely become encrypted. In general, already encrypted devices will not be impacted by any of the settings in the profile changing configuration.