A new WDRT (Whole Disk Recovery Token) is only created for an Encryption Desktop client if the client can connect to Encryption Management Server over https and authenticate.
If the client cannot connect over https to the server then the existing WDRT remains active.
A new WDRT is created after a WDRT is used to authenticate at bootguard and the user logs into Windows.
If a client cannot connect to the server, an entry like this appears in the Encryption Desktop log:
Scheduled sync with keys.example.com failed; server is unreachable
If a client can connect and authenticate, an entry like this appears in the Encryption Desktop log:
Completed synchronization with configuration server keys.example.com
In addition, in the administration console of Encryption Management Server under Reporting / Logs / Client log, an entry like this will be seen when a client authenticates:
authenticated internal Encryption Desktop 10.5.0.1721 user first.last from [192.168.1.198]
Please ensure that Encryption Desktop clients are authenticating to Encryption Management Server if you want new WDRTs to be generated.