MacOs Recovery Key failing to unlock disk

Dperk
New Contributor III

This is the second time i've had this issue occur where an employee's machine rebooted for updates and failed to come back on. I managed to use the apple configuration app to fix the booting for the mac, but when try to pull up the recovery options or even turn it back on i get MacOs recovery key needed. Im using the key that jamf has in the encryption and its failing to unlock the drive. I've tried using the key for the mac that was used to revive the broken one incase it copied that encryption but no luck either. 

 

Not sure if anyones run into this issue or found a solution, but id really hate to have to wipe and reimage another employees machine as that sets them back a few days. 

 

 

4 REPLIES 4

Dperk
New Contributor III

For reference this is the window im stuck at. 

Dperk_0-1699467420735.png

 

mm2270
Legendary Contributor III

FileVault Recovery keys can and sometimes do get out of sync with what's in Jamf. Jamf Pro has a mechanism built in to verify if the current Recovery key is valid on that device. It's called "Personal Recovery Key Validationand will report back either Valid or Invalid, if the Mac is encrypted and Jamf Pro has a key stored for it in the record.

Have you checked the machine's details to see if Jamf was reporting the key as Invalid? If so, then something changed or swapped out the Recovery key on that device and it wasn't escrowed back to Jamf Pro.

Edit: Forgot to mention that, unless you were also using an Institutional Recovery key for your Macs, then unfortunately, if the machine is only booting to Recovery and you can't get back to a normal boot mode, you may have no choice but to wipe the machine. There's really no way to get past encryption without a valid PRK or a password (only for admin accounts enabled for FV2).

Going forward, I would make sure you have a Config Profile deployed to your Macs that enables the escrow function for FileVault. This will ensure that if the key gets swapped out for any reason, the new one gets escrowed properly back to Jamf.

Dperk
New Contributor III

After some rebooting and trying to change the startup disk, it eventually allowed for user pw to unlock the disk thankfully. But i was curious, where would i find this recovery key validation in jamf? Google was of no help, but id love to get an idea on how many machines arnt talking correctly to jamf for Filevault encryption. Going forward im going to make sure that config profile keeps everything in check

mm2270
Legendary Contributor III

It shows up within the device record, under the Disk Encryption tab. See the image for an example.

FV2.png