[Feature] - Migrate Filevault from SC to ES #191
Description
Is your feature request related to a problem? Please describe.
OpenIntuneBaseline currently provides a macOS FileVault baseline using a device configuration profile (Settings Catalog). In modern Intune deployments, this can conflict with the Endpoint security → Disk encryption (FileVault) policy, leading to devices that are encrypted but do not have their recovery key escrowed to Intune.
When this occurs, recovery key visibility and rotation actions fail, despite FileVault being enabled and a key existing locally.
Microsoft’s current guidance positions Endpoint Security disk encryption policies as the supported way to manage FileVault lifecycle (enablement, escrow, rotation), and inconsistent ownership is a common cause of FileVault/key‑management issues.
Describe the solution you'd like
Update the OpenIntuneBaseline macOS FileVault baseline to:
-
Use an Endpoint security → Disk encryption (macOS FileVault) policy as the primary baseline for:
- FileVault enablement
- Recovery key escrow
- Key rotation
-
Move any remaining non‑ownership controls (e.g. Prevent FileVault from being disabled) into a separate, guardrail‑only configuration profile.
-
Include a short migration note explaining the change and why dual configuration (config profile + endpoint security) should be avoided.
This aligns the baseline with Microsoft’s current Intune design and avoids key escrow / rotation failures.
Describe alternatives you've considered
- Keeping FileVault entirely in configuration profiles and documenting limitations. Rejected due to high risk of escrow and rotation failures.
- Providing both methods and letting users choose. - Rejected due to overlap and accidental misconfiguration.
- Adding warnings only. - Does not address the root ownership issue.
Additional context
This change reflects Microsoft’s move toward Endpoint Security as the authoritative control plane for disk encryption and reduces a common real‑world failure mode where FileVault is enabled but recovery keys are unavailable or non‑rotatable in Intune.
Microsoft Learn References (Best Practice & Rationale)
Encrypt macOS devices with FileVault using Intune
Primary guidance on FileVault deployment scenarios, escrow preparation, encryption initiation, and recovery key management.
https://learn.microsoft.com/intune/intune-service/protect/encrypt-devices-filevault
Endpoint security disk encryption policy in Intune
Explains why disk encryption policies exist and are the preferred method for managing built‑in encryption technologies like FileVault.
https://learn.microsoft.com/intune/intune-service/protect/endpoint-security-disk-encryption-policy
Remote action: Rotate FileVault recovery key
Documents the prerequisites for successful key rotation, including that FileVault must be enabled and escrowed using an Intune disk encryption policy.
https://learn.microsoft.com/intune/intune-service/remote-actions/device-rotate-filevault
Store and retrieve macOS FileVault recovery keys
Clarifies how recovery keys are viewed and managed once correctly escrowed to Intune.
https://learn.microsoft.com/intune/intune-service/user-help/store-recovery-key
Proposed changes
MacOS - Baseline - ES - Disk Encryption - D - FileVault Enforcement - v2.0.json
MacOS - Baseline - SC - Disk Encryption - D - FileVault Enforcement Settings - v2.0.json