Issues when using FileVault Recovery Key on Mojave (10.4.4 specifically)

patrickmullen
New Contributor II

I had something come up the other day that used to work perfectly fine on High Sierra and earlier.

I've got a user that forgot the password for their account -- used the escrowed FileVault recovery key to unlock the disk, which worked, but when that was done it prompted them to reset their password (totally expected).

The catch is that it wanted the "Master Password" before they could reset their password.

We're in an AD environment, but even with a local user I experience issues -- basically it unlocks this disk and then pops up and asks for a password again (which isn't helpful if the user has forgotten their password).

This doesn't appear to be an APFS issue because I didn't have this issue on High Sierra with APFS + encrypted Macs.

Both my test Mac and the user's Mac are 10.4.4, so I can't say whether this is all of Mojave or unique 10.4.4.

Curious if anyone else has dealt with this.

12 REPLIES 12

mapurcel
Contributor III

There is a known bug with the FileVault recovery process on 10.14.4 specifically. We use local accounts and the behavior is that after using a recovery key it does not let you reset the password unless you use the password utility from the recovery partition. Apple has confirmed the bug.

dswitmer
New Contributor III

What do you have to do with the password utility?

patrickmullen
New Contributor II

@mapurcel I am also able to reproduce on 10.14.3 I just confirmed.

If it's a confirmed bug, maybe it's just been noticed finally on 10.4.4?

@dswitmer User had to come on-site, I had to manually login and touch the machine and then reset with our AD server -- which is not exactly ideal for a variety of reasons.

EDIT, oh, it looks like you're not asking me for the follow-up. Also curious. Ignore me! :)

mapurcel
Contributor III

We use local accounts and the bug is only present on 10.14.4. When a FileVault Recovery Key is used, the user is prompted to reset the password but no password is accepted (shakes). At this point the user is locked out of the machine at the login screen. You can use password utility to reset the user account password and successfully login with the new password.

andrew_abraham
New Contributor II

It gets even more complicated on single users systems that have a T2 chip, which require authentication to use Terminal in recovery.

Also worth noting that in our testing if you have an institutional key on the system you'll get a confusing 'Master Password' prompt after attempting to set a new password for the local user using the individual key at the FV login screen. There is no master password set and you will not be able to enter anything successfully in this prompt. Apple has acknowledged this defect with us and is investigating.

al_c
New Contributor III

How can you use the password reset utility if Filevault is turned on? Aren't you reverted back to the login screen to enter your recovery key when using the resetpassword command?

ClassicII
Contributor III

@alex.cisneros

I wrote about this here.

https://mrmacintosh.com/10-14-4-update-breaks-local-account-password-reset/

For 10.14.4 if you can't get into the terminal due to FV2 on a T2 device and you have the firmware password off you can wait 1 min then the screen will say did you reset your password? If so power the system off now and you will be booted to reset password utility.

@patrickmullen

You can read about what you have to do to reset an AD Mobile Account user here.

https://mrmacintosh.com/10-14-4-forgotten-active-directory-password-sync-fv2/

al_c
New Contributor III

Thanks @ClassicII I will try that!

Baker
New Contributor

Does anyone know if this issue persisted into 10.14.5?

Baker
New Contributor

@mapurcel Can you provide the article in which Apple confirms this bug?

mapurcel
Contributor III

@Baker we opened a support case where they confirmed it, I don't think there was an article

mapurcel
Contributor III

also, this was resolved for us with 10.14.5 and 10.14.6