Generate Encryption Recovery Key Escrow Certificate

To generate the certificate and key pair complete the following steps:

About this task


  1. From the WebUI main page, click Apps > MCM > Admin.
  2. On the Admin page, expand Recovery Key Escrow and click Generate Encryption Recovery Key Escrow Certificate.
  3. In the next screen, click Deploy



Now, the certificate and key pair to be used to create the recovery keys are generated, stored in the WebUI database for future actions. The key will be used when deploying Windows or macOS Encryption Policies.
Important: You can also regenerate the certificate/key pair from this page. However, generating a new set of keys will have adverse effects. Any in progress encryption actions will fail to escrow recovery key as they will be encrypting using outdated certificate. To avoid that, it is recommended to re-deploy MacOS full disk encryption policies, as that will update the escrow certificate stored on the devices for a future update or regeneration of the recovery key.