FV2 password out of sync with Login password (no backup account)

The OS version matters a lot here. If it's High Sierra and you have no admin account with a Secure Token, I'd recommend re-imaging.

It's fully up to date (13.6)

Does that actually fix the syncing issue or simply apply a temporary fix? On the next password change, will FV sync up?

If the password is changed off-Mac (via website, directly in AD, etc.) then this will always happen. If the password is changed on the Mac then the FV2 password will sync at the time of the changed. Welcome to the wonderful world of secureTokens.

The only way to avoid it permanently is to change passwords on the Mac via System Pref, NoMAD, Enterprise Connect, etc.

As an aside: "Also, the recovery key was never cached on the JSS, so I can't use that to reset her password/add people to FV2."

The recovery key wouldn't have made a difference, that will only get you into the machine. You can't add users to FV2 without a secureToken'ed account.

We've been running this command with good success when High Sierra Macs "forget" to update the FV partition:

diskutil apfs updatePreboot /

Of course, requires APFS formatted drives!

Running the following command does not work in my testing. Although letting the device sit connected to AD for a long while (several minutes to hours) does the trick.

diskutil apfs updatePreboot /

Thank You very much @hkabik !

I was able to confirm this works on my test machine, but it did not work for the computer in question. I got a -69590 error (Bad password?)

I was however able to decrypt the drive using:

diskutil apfs decryptVolume /dev/disk1s1 -user [UUID]

No idea why it was able to decrypt, but not change password. End of the day I will be able to sync everything up.

@hcgtexas i ran into this recently and got same error. The prompts aren't very well written as to when to enter user vs admin password. This should always work in case anyone else finds this thread via search and FV enabled admin user exists on machine.

Open terminal logged in as user & run switch user command below: run "su admin" enter admin password when prompted For good measure, updatePreBoot: run "diskutil ap updatePreBoot /" enter admin password when prompted Remove user from Filevault: run "sudo fdesetup remove -user username" where username is username of user having issue enter admin password when prompted Verify user removed: run "sudo fdesetup list" should only list admin with admin's GUID Add the user back into FileVault: run "sudo fdesetup add -usertoadd username" where username is username of user having issue, type carefully! At prompt for "Enter the user name:" enter admin At prompt "Enter the password for user 'admin':" enter admin password At prompt "Enter the password for the added user 'username':" have user type their new password Verify user correctly readded run "sudo fdesetup list" should now list admin and user with their GUIDs. Verify this is correct username, otherwise when they reboot they won't be able to login. After the next restart the passwords will all match.

@hkabik Thank you for this! I do have a question though, I ran this yesterday, rebooted and everything was fine. This morning I tried to sign in from home and the FV2 authentication changed to the new password, but it got hung and wouldn't boot all the way into the system. So I powered off (hold power button) and again FV2 authenticated with the updated password but brought me to the regular 10.14.1 login and wouldn't take my new password (that had been working for about a week or two). Eventually got signed in using my previous password that FV2 had been using.

Any thoughts?

It depends if it's a mobile or standard account but for mobile AD accounts I'd suggest turning off FileVault for that particular user only.

Use: sudo fdesetup remove -user (username)
Log out, then back in again with the correct and new password.
Then re-apply it in System Prefs/Security/Filevault (should have a notification that some users aren't enabled).

Thanks @CasperSally. Your process worked for me with macOS 10.14.2 where an AD user changed password "outside-of-the-mac" on our web portal.