Re-issue Recovery Key Generated Not Enscrowed
Jun 19, 2019 jss-filevault-reissue / reissuefilevaultrecoverykey.sh Find file Copy path Mario Panighetti made logo file path optional 1b80d95 Dec 2, 2019. For BitLocker encrypted computers a volume that cannot be accessed any more can be recovered via the BitLocker recovery key ID. Users have to provide this ID. When they start the recovery process, the Bitlocker recovery key ID for operating system drive is displayed on the BitLocker recovery screen.
- Re-issue Recovery Key Generated Not Escrowed Act
- Re-issue Recovery Key Generated Not Escrowed Working
Use Intune to manage a devices built-in disk or drive encryption to protect data on your devices.
Configure disk encryption as part of a device configuration profile for endpoint protection. The following platforms and encryption technologies are supported by Intune:
- macOS: FileVault
- Windows 10 and later: BitLocker
Intune also provides a built-in encryption report that presents details about the encryption status of devices, across all your managed devices.
FileVault encryption for macOS
Use Intune to configure FileVault disk encryption on devices that run macOS. Then, use the Intune encryption report to view encryption details for those devices and to manage recovery keys for FileVault encrypted devices.
User-approved device enrollment is required for FileVault to work on the device. The user must manually approve of the management profile from system preferences for enrollment to be considered user-approved.
FileVault is a whole-disk encryption program that is included with macOS. You can use Intune to configure FileVault on devices that run macOS 10.13 or later.
To configure FileVault, create a device configuration profile for endpoint protection for the macOS platform. FileVault settings are one of the available settings categories for macOS endpoint protection.
After you create a policy to encrypt devices with FileVault, the policy is applied to devices in two stages. First, the device is prepared to enable Intune to retrieve and back up the recovery key. This action is referred to as escrow. After the key is escrowed, the disk encryption can start.
For details about the FileVault setting you can manage with Intune, see FileVault in the Intune article for macOS endpoint protection settings.
Permissions to manage FileVault
To manage FileVault in Intune, your account must have the applicable Intune role-based access control (RBAC) permissions.
Following are the FileVault permissions, which are part of the Remote tasks category, and the built-in RBAC roles that grant the permission:
Get FileVault key:
- Help Desk Operator
- Endpoint security manager
Rotate FileVault key
- Help Desk Operator
How to configure macOS FileVault
Sign in to the Microsoft Endpoint Manager admin center.
Select Devices > Configuration profiles > Create profile.
Set the following options:
- Platform: macOS
- Profile type: Endpoint protection
Select Settings > FileVault.
For FileVault, select Enable.
For Recovery key type, only Personal key is supported.
Consider adding a message to help guide end-users on how to retrieve the recovery key for their device. This information can be useful for your end-users when you use the setting for Personal recovery key rotation, which can automatically generate a new recovery key for a device periodically.
For example: To retrieve a lost or recently rotated recovery key, sign in to the Intune Company Portal website from any device. In the portal, go to Devices and select the device that has FileVault enabled, and then select Get recovery key. The current recovery key is displayed.
Configure the remaining FileVault settings to meet your business needs, and then select OK.
Complete configuration of additional settings, and then save the profile.
Manage FileVault
After Intune encrypts a macOS device with FileVault, you can view and manage the FileVault recovery keys when you view the Intune encryption report.
After Intune encrypts a macOS device with FileVault, you can view that device's personal recovery key from the web Company Portal on any device. Once in the web Company Portal, choose the encrypted macOS device, and then choose to 'Get recovery key' as a remote device action.
Retrieve personal recovery key from MEM encrypted macOS devices
End users can retrieve their personal recovery key (FileVault key) using the iOS Company Portal app, the Android Company Portal app, or through the Android Intune app. The device that has the personal recovery key must be enrolled with Intune and encrypted with FileVault through Intune. Using the iOS Company Portal app, Android Company Portal app, the Android Intune app, or the Company Portal website, the end-user can see the FileVault recovery key needed to access their Mac devices. End-users can select Devices > the encrypted and enrolled macOS device > Get recovery key. The browser will show the Web Company Portal and display the recovery key.
BitLocker encryption for Windows 10
Use Intune to configure BitLocker Drive Encryption on devices that run Windows 10. Then, use the Intune encryption report to view encryption details for those devices. You can also access important information for BitLocker from your devices, as found in Azure Active Directory (Azure AD).
BitLocker is available on devices that run Windows 10 or later.
Configure BitLocker when you create a device configuration profile for endpoint protection for the Windows 10 or later platform. BitLocker settings are in the Windows Encryption settings category for Windows 10 endpoint protection.
How to configure Windows 10 BitLocker
Sign in to the Microsoft Endpoint Manager admin center.
Select Devices > Configuration profiles > Create profile.
Set the following options:
- Platform: Windows 10 and later
- Profile type: Endpoint protection
Select Settings > Windows Encryption.
Configure settings for BitLocker to meet your business needs, and then select OK.
Complete configuration of additional settings, and then save the profile.
Silently enable BitLocker on devices
You can configure a BitLocker policy that automatically and silently enables BitLocker on a device. That means that BitLocker enables successfully without presenting any UI to the end user, even when that user isn't a local Administrator on the device.
Device Prerequisites:
A device must meet the following conditions to be eligible for silently enabling BitLocker:
- The device must run Windows 10 version 1809 or later
- The device must be Azure AD Joined
BitLocker policy configuration:
The following two settings for BitLocker base settings must be configured in the BitLocker policy:
- Warning for other disk encryption = Block.
- Allow standard users to enable encryption during Azure AD Join = Allow
The BitLocker policy must not require use of a startup PIN or startup key. When a TPM startup PIN or startup key is required, BitLocker cannot silently enable and requires interaction from the end user. This requirement is met through the following three BitLocker OS drive settings in the same policy:
- Compatible TPM startup PIN must not be set to Require startup PIN with TPM
- Compatible TPM startup key must not set to Require startup key with TPM
- Compatible TPM startup key and PIN must not set to Require startup key and PIN with TPM
Manage BitLocker
After Intune encrypts a Windows 10 device with BitLocker, you can view and retrieve BitLocker recovery keys when you view the Intune encryption report.
Rotate BitLocker recovery keys
You can use an Intune device action to remotely rotate the BitLocker recovery key of a device that runs Windows 10 version 1909 or later.
Prerequisites
Devices must meet the following prerequisites to support rotation of the BitLocker recovery key:
Devices must run Windows 10 version 1909 or later
Azure AD-joined and Hybrid-joined devices must have support for key rotation enabled:
- Client-driven recovery password rotation
This setting is under Windows Encryption as part of a device configuration policy for Windows 10 Endpoint Protection.
To rotate the BitLocker recovery key
Sign in to the Microsoft Endpoint Manager admin center.
Select Devices > All devices.
In the list of devices that you manage, select a device, select More, and then select the BitLocker key rotation device remote action.
Next steps
Create a device compliance policy.
Use the encryption report, to manage:
Review the encryption settings you can configure with Intune for:
-->The Microsoft Intune encryption report is a centralized location to view details about a device’s encryption status and find options to manage device recovery keys. The recovery key options that are available depend on the type of device you're viewing.
To find the report, Sign in to the Microsoft Endpoint Manager admin center. Select Devices > Monitor, and then under Configuration, select Encryption report.
View encryption details
The encryption report shows common details across the supported devices you manage. The following sections provide details about the information that Intune presents in the report.
Prerequisites
The encryption report supports reporting on devices that run the following operating system versions:
- macOS 10.13 or later
- Windows version 1607 or later
Report details
The Encryption report pane displays a list of the devices you manage with high-level details about those devices. You can select a device from the list to drill-in and view additional details from the devices Device encryption status pane.
Device name - The name of the device.
OS – The device platform, such as Windows or macOS.
OS version – The version of Windows or macOS on the device.
TPM version(Applies to Windows 10 only) – The version of the Trusted Platform Module (TPM) chip on the Windows 10 device.
Encryption readiness – An evaluation of the devices readiness to support an applicable encryption technology, like BitLocker or FileVault encryption. Devices are identified as:
Ready: The device can be encrypted by using MDM policy, which requires the device meet the following requirements:
For macOS devices:
- MacOS version 10.13 or later
For Windows 10 devices:
- Version 1703 or later, of Business, Enterprise, Education, or version 1809 or later of Pro
- The device must have a TPM chip
For more information, see the BitLocker configuration service provider (CSP) in the Windows documentation.
Not ready: The device doesn't have full encryption capabilities, but still supports encryption. For example, a Windows device might be encrypted manually by a user, or through Group Policy that can be set to allow encrypting without a TPM.
Not applicable: There isn't enough information to classify this device.
Encryption status – Whether the OS drive is encrypted.
User Principal Name - The primary user of the device.
Device encryption status
When you select a device from the Encryption report, Intune displays the Device encryption status pane. This pane provides the following details:
Device name – The name of the device you're viewing.
Encryption readiness - An evaluation of the devices readiness to support encryption through the MDM policy.
For example: When a Windows 10 device has a readiness of Not ready, it might still support encryption. To have the Ready designation, the Windows 10 device must have a TPM chip. TPM chips aren't required to support encryption. (For more information, see Encryption readiness in the preceding section.)
Encryption status - Whether the OS drive is encrypted. It can take up to 24 hours for Intune to report on a device’s encryption status or a change to that status. This time includes time for the OS to encrypt, plus time for the device to report back to Intune.
To speed up the reporting of FileVault encryption status before device check-in normally occurs, have users sync their devices after encryption completes.
Profiles – A list of the Device configuration profiles that apply to this device and are configured with the following values:
macOS:
- Profile type = Endpoint protection
- Settings > FileVault > FileVault = Enable
Windows 10:
- Profile type = Endpoint protection
- Settings > Windows Encryption > Encrypt devices = Require
You can use the list of profiles to identify individual policies for review should the Profile state summary indicate problems.
Profile state summary – A summary of the profiles that apply to this device. The summary represents the least favorable condition across the applicable profiles. For example, if only one out of several applicable profiles results in an error, the Profile state summary will display Error.
To view more details of a status, go to Intune > Device configuration > Profiles, and select the profile. Optionally, select Device status and then select a device.
Status details – Advanced details about the device’s encryption state.
Important
For Windows 10 devices, Intune only shows Status details for devices that run the Windows 10 April 2019 Update or later.
This field displays information for each applicable error that can be detected. You can use this information to understand why a device might not be encryption ready.
The following are examples of the status details Intune can report:
macOS:
The recovery key hasn't been retrieved and stored yet. Most likely, the device hasn't been unlocked, or it hasn't checked in.
Consider: This result doesn't necessarily represent an error condition but a temporary state that could be because of timing on the device where escrow for recovery keys must be set up before the encryption request is sent to the device. This status might also indicate the device remains locked or hasn’t checked in with Intune recently. Finally, because FileVault encryption doesn’t start until a device is plugged in (charging), it’s possible for a user to receive a recovery key for a device that isn't yet encrypted.
The user is deferring encryption or is currently in the process of encryption.
Consider: Either the user hasn't yet logged out after receiving the encryption request, which is necessary before FileVault can encrypt the device, or the user has manually decrypted the device. Intune can't prevent a user from decrypting their device.
The device is already encrypted. Device user must decrypt the device to continue.
Consider: Intune can’t set up FileVault on a device that is already encrypted. Instead, the user needs to manually decrypt their device before it can be managed by a device configuration policy and Intune.
FileVault needs the user to approve their management profile in MacOS Catalina and higher.
Consider: Beginning with MacOS version 10.15 (Catalina), user approved enrollment settings can result in the requirement that users manually approve FileVault encryption. For more information, see User Approved enrollment in the Intune documentation.
Unknown.
Consider: One possible cause for an unknown status is that the device is locked and Intune can’t start the escrow or encryption process. After the device is unlocked, progress can continue.
Windows 10:
The BitLocker policy requires user consent to launch the BitLocker Drive Encryption Wizard to start encryption of the OS volume but the user didn't consent.
The encryption method of the OS volume doesn't match the BitLocker policy.
The policy BitLocker requires a TPM protector to protect the OS volume, but a TPM isn't used.
The BitLocker policy requires a TPM-only protector for the OS volume, but TPM protection isn't used.
The BitLocker policy requires TPM+PIN protection for the OS volume, but a TPM+PIN protector isn't used.
The BitLocker policy requires TPM+startup key protection for the OS volume, but a TPM+startup key protector isn't used.
The BitLocker policy requires TPM+PIN+startup key protection for the OS volume, but a TPM+PIN+startup key protector isn't used.
The OS volume is unprotected.
Recovery key backup failed.
A fixed drive is unprotected.
The encryption method of the fixed drive doesn't match the BitLocker policy.
To encrypt drives, the BitLocker policy requires either the user to sign in as an Administrator or, if the device is joined to Azure AD, the AllowStandardUserEncryption policy must be set to 1.
Windows Recovery Environment (WinRE) isn't configured.
A TPM isn't available for BitLocker, either because it isn't present, it's been made unavailable in the Registry, or the OS is on a removable drive.
The TPM isn't ready for BitLocker.
The network isn't available, which is required for recovery key backup.
Export report details
While viewing the Encryption report pane, you can select Export to create a .csv file download of the report details. This report includes the high-level details from the Encryption report pane and Device encryption status details for each device you manage.
This report can be of use in identifying problems for groups of devices. For example, you might use the report to identify a list of macOS devices that all report FileVault is already enabled by the user, which indicates devices that must be manually decrypted before Intune can manage their FileVault settings.
FileVault recovery keys
When Intune first encrypts a macOS device with FileVault, a personal recovery key is created. Upon encryption, the device displays the personal key a single time to the end-user.
For managed devices, Intune can escrow a copy of the personal recovery key. Escrow of keys enables Intune administrators to rotate keys to help protect devices, and users to recover a lost or rotated personal recovery key.
Intune supports multiple options to rotate and recover personal recovery keys. One reason to rotate a key is if the current personal key is lost or thought to be at risk.
Important
Devices that are encrypted by users, and not by Intune, cannot be managed by Intune. This means that Intune can't escrow the personal recovery of these devices, nor manage the rotation of the recovery key. Before Intune can manage FileVault and recovery keys for the device, the user must decrypt their device, and then let Intune encrypt the device.
Re-issue Recovery Key Generated Not Escrowed Act
Rotate recovery keys
Automatic rotation: As an admin, you can configure the FileVault setting Personal recovery key rotation to automatically generate new recovery key’s periodically. When a new key is generated for a device, the key isn’t displayed to the user. Instead, the user must get the key either from an admin, or by using the company portal app.
Manual rotation: As an admin, you can view information for a device that you manage with Intune and that’s encrypted with FileVault. You can then choose to manually rotate the recovery key for corporate devices. You can’t rotate recovery keys for personal devices.
To rotate a recovery key:
Sign in to the Microsoft Endpoint Manager admin center.
Select Devices > All devices.
From the list of devices, select the device that is encrypted and for which you want to rotate its key. Then under Monitor, select Recovery keys.
Dungeon siege 2 deluxe cd key code generator. On the Recovery keys pane, select Rotate FileVault recovery key.
The next time the device checks in with Intune, the personal key is rotated. When needed, the new key can be obtained by the end-user through the company portal.
Recover recovery keys
Administrator: Administrators can't view personal recovery keys for devices that are encrypted with FileVault.
End-user: End-users use the Company Portal website from any device to view the current personal recovery key for any of their managed devices. You can't view recovery keys from the Company Portal app.
To view a recovery key:
Sign in to the Intune Company Portal website from any device.
In the portal, go to Devices and select the macOS device that is encrypted with FileVault.
Select Get recovery key. The current recovery key is displayed.
BitLocker recovery keys
Re-issue Recovery Key Generated Not Escrowed Working
Intune provides access to the Azure AD blade for BitLocker so you can view BitLocker Key IDs and recovery keys for your Windows 10 devices, from within the Intune portal. To be accessible, the device must have its keys escrowed to Azure AD.
Sign in to the Microsoft Endpoint Manager admin center.
Select Devices > All devices.
Select a device from the list, and then under Monitor, select Recovery keys.
When keys are available in Azure AD, the following information is available:
- BitLocker Key ID
- BitLocker Recovery Key
- Drive Type
When keys aren't in Azure AD, Intune will display No BitLocker key found for this device.
Information for BitLocker is obtained using the BitLocker configuration service provider (CSP). BitLocker CSP is supported on Windows 10 version 1703 and later, and for Windows 10 Pro version 1809 and later.
Next steps
Create a device compliance policy.