Do you configure the 'Account Settings' payload, if so that is by design. 

So it's a little back to front in whats written (will disable in Setup Assistant) where items you want disabled are ticked. Jamf is actually disabling the check box as empty when I guess it should be greyed out with a tick, if that makes sense.

Yes, I do have that configured, but I see that message there explains why I can't tick the box. The only thing I have set up is pre-filling the user info from the SSO sign-in. I don't quite understand why that specifically would prevent FileVault from being disabled.

I believe (might be wrong) unless user creation is completely handed off to setup assistant during enrolment, then filefault needs to be enabled upon login of that user.

There's a known issue where the recovery key isn't escrowed to mdm when FV is enabled during setup.

I too, want to pre-fill primary account information from SSO / Google LDAP and Lock primary account information at the local account creation screen, without enabling FileVault during Setup Assistant.

It's good to know that the reason Filevault is greyed out for us is because we have the 'Account Settings' payload configured.

What doesn't make any sense is why only recently, random enrollments are getting prompted to set up Filevault during Setup Assistant. PreStage hasn't been touched. I'd be ok with checking Filevault under 'Setup Assistant Options', but I can't, since Account Settings is configured, for reasons stated above.

Edit: It appears in 14.4, there is a new feature - "MDM can now enforce FileVault for standard users at Setup Assistant." That might correlate with what I've been seeing. But I don't know how to prevent this from happening. Actually, thinking about it more, I saw this issue on a fresh Ventura re-image as well, so maybe not related to 14.4+