Once the supplemental 10.13.2 upgrade is installed, I could no longer add AD users to File Vault.
The issue seems to be Secure token is not enabled for AD users the following fixes the issue
Sysadminctl interactive -secureTokenOn <user name> -password <password>
Sysadminctl interactive -secureTokenStatus user.name
Reboot and you should be able to enable for the new user.name
This is bitter sweet in a way .... I finally have someone else out there with an AD environment setup where your users cannot be added to filevault on High Sierra. This is have been troublesome for me for a longgg time ever since the release of 10.13.0.
Basically i was having an issue prior to the supplemental update where a user on 10.12.6 after upgrading to High Sierra on a previous filevaulted machine couldn't log back in after reboot. Basically since their account didn't have a secure token prior the icon after reboot was removed.
This part seems to be resolved and i am now stuck with the issue in which an AD user on machine after the update cannot be added to filevault and i have to go through the process you described above.
Here is what we have been successful with, most of the time we only have to use the last line by itself when we enable a user for filevault in 10.13 using Sys Prefs. Based on my understanding this should only be happening on AD Mobile Accounts, at least that is the only place we are seeing it.
sudo sysadminctl interactive -secureTokenStatus username
sudo sysadminctl interactive -secureTokenOn username -password –
sudo diskutil apfs updatePreboot /