If the device is already setup and encrypted, you'll need to prompt the user for their password in order to generate a new key that will then be escrowed. This would be a good start. 

Yes I started there, but with Big Sur I wasn't able to get it to run, It seems vastly out of date, since the "

• Automatically redirect recovery keys to the JSS" is depreciated. 

You'll need to use the "Escrow Personal Recovery Key settings:  I just used this method and escrowed a key on Big Sur.

deprecated? wait, what now? 

I faced similar kind of issue last time, I am still searching for some proper solution.

Have a look at https://github.com/jamf/FileVault2_Scripts/blob/master/reissueKey.sh 

I'm using this and it's working fine on Big Sur Macs...caveat being I have no M1 to test, only T2's...

@scottb It does work on M1 as well

I just attempted running the script on a test machine and got the following result.  Any ideas?

Would have to see what your script looks like, but I'm going to guess that when you are defining the location of the TFlogo.png, you may have some illformed code based on the "Can't make file ":$:Applictions:logo:TFlogo.png" part of the error message.

Thanks for responding, I got it working last night.  Seems it did not like the file path I added in for our company's logo once I added file :// in front of the file path it worked like a charm.

Thanks!