FV2 password out of sync with Login password (no backup account)

hcgtexas
New Contributor III

Howdy,

I have a computer where the users password is out of sync with FV2. They remember the password, so they type in the FV2 password when booting up, then they type in the current AD password to get access to their account.

I usually fix this issue by removing/re-adding the account from FV2 with fdesetup authenticating with the local admin account, but unfortunately the local admin account was never authorized for FV2.

I have tried using the Users account to add the local admin, but fdesetup seems to want to authenticate with the login and FV2 password at the same time, which obviously doesn't work. Also, the recovery key was never cached on the JSS, so I can't use that to reset her password/add people to FV2.

Is there a way to resolve this situation without having to reimage the machine?

2 ACCEPTED SOLUTIONS

hkabik
Valued Contributor

Get the user's UUID from a:

sudo fdesetup list

And get the Macintosh HD Identifier with a:

diskutil list

Then run

sudo diskutil apfs changePassphrase disk1s1 [or whatever your actual disk identifier is] -user [UUID]

It will prompt you for the users existing FV2 password, and then it will ask you what you want to change that password too.

View solution in original post

hcgtexas
New Contributor III

Thank You very much @hkabik !

I was able to confirm this works on my test machine, but it did not work for the computer in question. I got a -69590 error (Bad password?)

I was however able to decrypt the drive using:

diskutil apfs decryptVolume /dev/disk1s1 -user [UUID]

No idea why it was able to decrypt, but not change password. End of the day I will be able to sync everything up.

View solution in original post

12 REPLIES 12

alexjdale
Valued Contributor III

The OS version matters a lot here. If it's High Sierra and you have no admin account with a Secure Token, I'd recommend re-imaging.

hcgtexas
New Contributor III

It's fully up to date (13.6)

hkabik
Valued Contributor

Get the user's UUID from a:

sudo fdesetup list

And get the Macintosh HD Identifier with a:

diskutil list

Then run

sudo diskutil apfs changePassphrase disk1s1 [or whatever your actual disk identifier is] -user [UUID]

It will prompt you for the users existing FV2 password, and then it will ask you what you want to change that password too.

alexjdale
Valued Contributor III

Does that actually fix the syncing issue or simply apply a temporary fix? On the next password change, will FV sync up?

hkabik
Valued Contributor

If the password is changed off-Mac (via website, directly in AD, etc.) then this will always happen. If the password is changed on the Mac then the FV2 password will sync at the time of the changed. Welcome to the wonderful world of secureTokens.

The only way to avoid it permanently is to change passwords on the Mac via System Pref, NoMAD, Enterprise Connect, etc.

As an aside: "Also, the recovery key was never cached on the JSS, so I can't use that to reset her password/add people to FV2."

The recovery key wouldn't have made a difference, that will only get you into the machine. You can't add users to FV2 without a secureToken'ed account.

mbezzo
Contributor III

We've been running this command with good success when High Sierra Macs "forget" to update the FV partition:

diskutil apfs updatePreboot /

Of course, requires APFS formatted drives!

MrRoboto
Contributor III

Running the following command does not work in my testing. Although letting the device sit connected to AD for a long while (several minutes to hours) does the trick.

diskutil apfs updatePreboot /

hcgtexas
New Contributor III

Thank You very much @hkabik !

I was able to confirm this works on my test machine, but it did not work for the computer in question. I got a -69590 error (Bad password?)

I was however able to decrypt the drive using:

diskutil apfs decryptVolume /dev/disk1s1 -user [UUID]

No idea why it was able to decrypt, but not change password. End of the day I will be able to sync everything up.

CasperSally
Valued Contributor II

@hcgtexas i ran into this recently and got same error. The prompts aren't very well written as to when to enter user vs admin password. This should always work in case anyone else finds this thread via search and FV enabled admin user exists on machine.

Open terminal logged in as user & run switch user command below: run "su admin" enter admin password when prompted For good measure, updatePreBoot: run "diskutil ap updatePreBoot /" enter admin password when prompted Remove user from Filevault: run "sudo fdesetup remove -user username" where username is username of user having issue enter admin password when prompted Verify user removed: run "sudo fdesetup list" should only list admin with admin's GUID Add the user back into FileVault: run "sudo fdesetup add -usertoadd username" where username is username of user having issue, type carefully! At prompt for "Enter the user name:" enter admin At prompt "Enter the password for user 'admin':" enter admin password At prompt "Enter the password for the added user 'username':" have user type their new password Verify user correctly readded run "sudo fdesetup list" should now list admin and user with their GUIDs. Verify this is correct username, otherwise when they reboot they won't be able to login. After the next restart the passwords will all match.

jwojda
Valued Contributor II

@hkabik Thank you for this! I do have a question though, I ran this yesterday, rebooted and everything was fine. This morning I tried to sign in from home and the FV2 authentication changed to the new password, but it got hung and wouldn't boot all the way into the system. So I powered off (hold power button) and again FV2 authenticated with the updated password but brought me to the regular 10.14.1 login and wouldn't take my new password (that had been working for about a week or two). Eventually got signed in using my previous password that FV2 had been using.

Any thoughts?

tjhall
Contributor III

It depends if it's a mobile or standard account but for mobile AD accounts I'd suggest turning off FileVault for that particular user only.

Use: sudo fdesetup remove -user (username)
Log out, then back in again with the correct and new password.
Then re-apply it in System Prefs/Security/Filevault (should have a notification that some users aren't enabled).

jhalvorson
Valued Contributor

Thanks @CasperSally. Your process worked for me with macOS 10.14.2 where an AD user changed password "outside-of-the-mac" on our web portal.