We ran into a situation where a machine would ask daily (our policy to encrypt machines default) to generate a new key.

In our case it appeared something happened to the config profile that escrows the key. We had to remove profiles from the client and re-run the jamf manage (I believe this was it) command so it would pull down a new set of config profiles from the JSS. That solved it for the few we've run into.

For completeness and other searching, here's what I've found.

I had the policy running Once Per day and changed that to Once Per computer.
It requires a little more active monitoring on your part, but keeps people from being asked to rekey multiple times.

As part of my investigation I made a smart group that detects when a rekey is needed and had it send me emails when the group membership changes. I found that computers are being "randomly" added to and removed from the smart group, and I'm not sure why but I'm also not investigating more.

Here are two examples of when emails were sent to me from computers that seemingly needed the key escrowed, and removed from that group with no user interaction.

Computer 1 Added
Thu, Jul 25, 10:50 AM
Computer 1 Removed
Thu, Jul 25, 11:21 AM

Computer 2 Added
Mon, Jul 29, 9:55 AM
Computer 2 Removed
Mon, Jul 29, 9:56 AM

Hi there! I'm the maintainer of the jss-filevault-reissue workflow referenced above, and I've got a quick update that may be of interest to you.

My team has published a new tool called Escrow Buddy, which regenerates FileVault keys at the loginwindow, thus avoiding the need to prompt users for their password later. It should be suitable as a drop-in replacement for my previous jss-filevault-reissue workflow at most organizations.

You can read more in this announcement on the Netflix Tech Blog, and this post on my site specifically covers migrating from my old workflow to Escrow Buddy. Escrow Buddy's source code and installer are available on GitHub.

Thanks!