Regenerate Encryption Recovery Key

Learn how to regenerate the encryption recovery key for Windows or macOS devices.

About this task

Recovery key regeneration requires the BigFix agent to perform the action and can not be done through just MDM. On Mac devices, the device user is prompted by a utility to enter the username and password of a privileged user to regenerate recovery key.

On Mac devices, the end user will be prompted by a small utility to enter the username and password of a privileged user in order for regeneration of the recovery key to occur.

To retrieve escrowed recovery keys, operator or support person must log in directly to the Vault server interface (if you have set up Vault with the provided Fixlet, you can use the read user that was created). The 'bigfix' secret engine contains the recovery keys. Recovery keys are stored with identifiers based on the BigFix computer ID, computer name and last logged in user and can be searched in the Vault interface. The name of the entry in Vault has these values as of the time the recovery key was escrowed.

To regenerate full disk encryption recovery key, complete these steps.


  1. From WebUI, click Apps > MCM
  2. On the Modern Client Management page, click Action
  3. On the available list of actions, click Regenerate Encryption Recovery Key.Regenerate recovery key
  4. On the following page, click Edit Devices to select the target Windows or macOS devices.
  5. Review your selection and click Deploy.