What You'll Configure
Recovery Lock is a macOS security feature that sets a password requirement before a device can be booted into Recovery Mode. Without it, anyone with physical access to a Mac can boot into Recovery, wipe the disk, and reinstall macOS — completely bypassing your MDM enrollment. This is particularly relevant for Apple Silicon (M-series) and T2-equipped Intel Macs, where Recovery Mode is easily accessible by holding the power button during startup.
By the end of this walkthrough, you'll have a Settings Catalog policy in Intune that pushes a managed Recovery Lock password to targeted macOS devices. The device will require that password before entering Recovery Mode, and Intune will escrow the password so your helpdesk can retrieve it when needed — similar to how FileVault personal recovery keys are stored.
Prerequisites before you start:
- License: Microsoft Intune Plan 1 (or higher). Recovery Lock management is an Intune MDM feature — no add-on required.
- Role: Intune Administrator or a custom role with Device Configuration / Read and Write permissions.
- Device requirements: macOS 11.5 or later on Apple Silicon, or macOS 11.5+ on Intel Macs with Apple T2 Security Chip. Devices must be MDM-supervised (enrolled via Apple Business Manager or Apple School Manager with an Automated Device Enrollment profile).
- ADE/Supervised enrollment: Recovery Lock management is only available on supervised devices. If your Macs are user-enrolled or device-enrolled without supervision, this policy will silently do nothing — which is a common source of confusion.
Reference: Microsoft Learn — Configure Recovery Lock using the settings catalog
Step-by-Step Configuration
Step 1: Open the Settings Catalog in Intune
Navigate to the Microsoft Intune admin center and go to Devices → Configuration → Create → New Policy. On the Create a profile blade, set Platform to macOS and Profile type to Settings catalog. Click Create.
Step 2: Name and Describe the Policy
On the Basics tab, give the policy a name that makes its purpose unambiguous — something like macOS-RecoveryLock-Production. Add a description that includes the ticket or change record number if your org requires it. Naming conventions matter here; this policy is doing something security-critical and you want it visible in audit logs. Click Next.
Step 3: Add the Recovery Lock Setting
On the Configuration settings tab, click Add settings. The Settings picker panel opens on the right. In the search box, type Recovery Lock. You'll see results under the Declarative Device Management (DDM) → Security category. Select Passcode or look specifically for the setting labeled Enable Recovery Lock — the exact label you want is Recovery Lock Enabled. Check the box next to it and close the picker.
Back on the configuration settings view, you'll now see two settings appear:
- Recovery Lock Enabled — Toggle this to True.
- Recovery Lock Password — This is optional. If you leave it blank, Intune generates a random password and escrows it automatically. If you enter a static password here, that same password is pushed to every device in scope, which defeats the purpose of per-device isolation. Leave this blank — let Intune generate unique passwords per device and escrow them.
Step 4: Configure Scope Tags (Optional but Recommended)
If your tenant uses scope tags to partition management between IT teams or regions, assign the appropriate scope tag on the Scope tags tab. Skipping this step means the policy is visible and editable by all Intune admins in the tenant — fine for smaller orgs, a problem for larger ones with delegated administration models. Click Next.
Step 5: Assign the Policy to a Group
On the Assignments tab, click Add groups under Included groups and select the Azure AD group containing your supervised macOS devices. A dedicated dynamic device group filtered on deviceOSType eq "MacMDM" and enrollment type works well here. Avoid assigning to All Devices unless you've confirmed every Mac in your tenant is supervised — unsupported devices won't fail gracefully and the policy result can be misleading in the portal.
If you have a pilot group, assign there first. Recovery Lock is not disruptive to end users during normal operation, but it's worth validating password escrow is working before fleet-wide rollout. Click Next, review the summary, then click Create.
Verification
After the policy deploys (allow up to 15 minutes for devices that are online and checking in), verify both the policy state and the escrowed password.
In the Intune portal: Go to Devices → macOS → [Device Name] → Configuration and find your Recovery Lock policy. The status should show Succeeded. A status of Pending usually means the device hasn't checked in yet. A status of Error on a supervised device often points to an OS version below 11.5.
To retrieve the escrowed Recovery Lock password for a specific device: navigate to Devices → macOS → [Device Name] → Recovery keys. You'll see a Get Recovery Lock password button. Clicking it requires an additional authentication step (the admin must re-authenticate) and the action is logged in the Intune audit log — treat it with the same care as retrieving a FileVault key.
Programmatic verification via Microsoft Graph: The following request retrieves the managed device's configuration state. Replace {deviceId} with the Intune device ID (GUID).
# Get a device's configuration policy states
$deviceId = "your-device-guid-here"
$uri = "https://graph.microsoft.com/beta/deviceManagement/managedDevices/$deviceId/deviceConfigurationStates"
$headers = @{ Authorization = "Bearer $accessToken" }
Invoke-RestMethod -Uri $uri -Headers $headers -Method Get | ConvertTo-Json -Depth 5
To retrieve the escrowed Recovery Lock password programmatically (requires DeviceManagementManagedDevices.PrivilegedOperations.All permission):
# Retrieve Recovery Lock password via Graph $uri = "https://graph.microsoft.com/beta/deviceManagement/managedDevices/$deviceId/getFileVaultKey" # Note: For Recovery Lock specifically, use the recoveryKeys endpoint: $uri = "https://graph.microsoft.com/beta/informationProtection/recoveryKeys" # Filter by deviceId if needed Invoke-RestMethod -Uri "$uri?`$filter=deviceId eq '$deviceId'" -Headers $headers -Method Get
Reference: Microsoft Graph — managedDevice resource type
Common Issues
Policy shows Succeeded but Recovery Lock isn't active on the device
Nine times out of ten, the device isn't supervised. Open the device record in Intune and check the Enrollment type field. If it says anything other than ADE or Device enrollment manager with supervision enabled, the policy will report success but the MDM payload was silently ignored by macOS. The fix is re-enrolling the device through Apple Business Manager with a supervised ADE profile — there's no in-place workaround.
