![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 84%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDP%3C/text%3E%3C/svg%3E)
Microsoft Security | Intune | Microsoft Intune MacOs
Managing macOS devices using Microsoft Intune
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 95%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
The behavior described matches a reporting/interpretation issue rather than a real FileVault/VPN configuration problem.
From the device side and Intune encryption perspective, the scenario is healthy:
- FileVault is enabled and active (
fdesetup status= “FileVault is On”). - The personal recovery key is escrowed and visible in Intune.
- Encryption reporting can show non‑success states even when the device is actually encrypted and manageable, for example:
- “The recovery key hasn't been retrieved and stored yet. Most likely, the device hasn't been unlocked, or it hasn't checked in.”
- “The user is deferring encryption or is currently in the process of encryption.”
- “The device is already encrypted. Device user must decrypt the device to continue.”
These examples illustrate that Intune’s status and error fields for macOS disk encryption are not always a direct reflection of a current, actionable problem on the device, but can represent transient or edge conditions in how the profile is applied and evaluated.
In this case:
- There is no VPN configuration in Intune or on the device.
- FileVault settings are applied and working (encryption on, key escrowed, rotation supported).
- The error text about a “VPN Service payload” is therefore best understood as a mis‑mapped or generic MDM payload error being surfaced against the FileVault profile.
Within the provided material, there is no specific mapping for error code 9681, nor any documented dependency between FileVault and VPN payloads. The FileVault feature set and its monitoring/management are documented independently of VPN, and all functional prerequisites for FileVault management are already met in this environment.
Given that:
- This appears as a reporting artifact rather than a supported, documented failure mode.
- There is no functional impact on FileVault enablement or recovery key escrow.
The practical guidance from the available documentation is:
- Treat the device as compliant for encryption if:
- FileVault is On on the device.
- The recovery key is escrowed and retrievable via the Company Portal.
- The encryption report shows the device as encrypted and the key available.
- Use the encryption report and device details as the primary source of truth for FileVault health, not the mis‑labeled payload error.
- If needed, verify:
- In the encryption report, that the device is listed as encrypted and that the recovery key is present.
- In the device’s profile state summary and status details, that there are no other actionable errors (for example, “device is already encrypted” when trying to apply a new policy).
No specific fix or workaround is documented for remapping or suppressing this VPN‑payload error when FileVault is functioning correctly. The recommended approach, based on the available information, is to rely on the encryption status and recovery key escrow indicators as the authoritative health signals and treat the 9681/VPN text as a non‑blocking reporting anomaly.
References: