Connect
Ask Community
Ask the community
Ask Community
  • Home
  • macOS
  • FileVault not enabled on one macOS device – user locked out without recovery key

FileVault not enabled on one macOS device – user locked out without recovery keySolved

Profile photo of sutton
sutton
Participant
Discussion
Hexnode UEM
1 week ago May 11, 2026

Hi everyone, 

We’re currently investigating an issue with a macOS device, a MacBook Air M4, where the user is locked out after forgetting their password. We tried recovering access using a FileVault recovery key, but surprisinglyFileVault is showing as disabled, no recovery key is available in Hexnode and device status shows “not encrypted. What’s confusing is that the same policy has worked perfectly on all other macOS devices — FileVault is enabled and recovery keys are escrowed as expected. 

Has anyone seen something like this before? Why would FileVault fail on just one device like this? 

topic view count 24 Views

Tags

macOS (510) Scripts (98)
Reply

Replies (6)

Marked SolutionPending Review
Profile photo of amy_taylor Veteran image
amy_taylor
Participant
1 week ago May 11, 2026
Marked SolutionPending Review

Yeah, this usually means FileVault never actually kicked in on that device. 

Even if the policy shows as applied, macOS won’t enable FileVault unless everything lines up properly, especially on Apple Silicon Macs. A big one is the secure token thing. 

If the user account on that Mac didn’t get a secure token (can happen depending on how the device or user was set up), FileVault just won’t turn on. So, the policy kinda “sits there,” but nothing really happens. 

That would also explain why you’re not seeing any recovery key. 

Marked SolutionPending Review
Profile photo of leo_scott Champion image
leo_scott
Participant
1 week ago May 11, 2026
Marked SolutionPending Review

Also, could just be bad timing tbh. 

Like if the device was offline, or it didn’t check in properly after the policy was pushed, or even if the user skipped somethingFileVault might’ve never started. 

And yeah, sometimes macOS still expects the user to click through something to finish encryption. If that didn’t happen, it just stays off. 

Marked SolutionPending Review
Profile photo of sutton Novice image
sutton
Participant
1 week ago May 12, 2026
Marked SolutionPending Review

That makes sense. But what’s still confusing is, iFileVault is disabled, why is the device completely inaccessible? Shouldn’t we still be able to reset the password somehow? 

Marked SolutionPending Review
Profile photo of isabel_lora Hexnode Expert image
isabel_lora
Hexnode Expert
1 week ago May 12, 2026
Marked SolutionPending Review

Hi all! 

@sutton, this behavior can appear confusing at first, but it is primarily due to how macOS handles security at a system level. 

Even if FileVault is reported as disabled in the console, the device can still be inaccessible due to other security layers on modern Macs. On Apple Silicon devices like the MacBook Air M4: 

  • The storage is always hardware-encrypted using the Secure Enclave. 

  • FileVault mainly adds user-level unlock + recovery key escrow. 

So, if the user password is forgotten and no recovery key was generated, the system has no way to unlock the encrypted data — even if FileVault wasn’t fully enabled via policy. 

There are also a few other possibilities that can contribute: 

  • The device might be affected by a Secure Enclave lock state after repeated failed logins. 

  • firmware or recovery restriction could be in place. 

In some edge cases, OS update issues can interrupt FileVault setup or recovery key rotation. 

Best Regards, 
Isabel Lora 
Hexnode UEM 

Marked SolutionPending Review
Profile photo of amy_taylor Veteran image
amy_taylor
Participant
1 week ago May 12, 2026
Marked SolutionPending Review

So basically, even though Hexnode shows “FileVault disabled,” the device can still behave like it’s locked at a deeper level? 

Marked SolutionPending Review
Profile photo of isabel_lora Hexnode Expert image
isabel_lora
Hexnode Expert
1 week ago May 12, 2026
Marked SolutionPending Review

Exactly. The console reflects what was successfully reported back, but the actual on-device state can differ if the process never completed. 

At this point, the best way to confirm the real encryption status is from the device itself. 

You can try this: 

1. Boot the Mac into macOS Recovery (press and hold the power button) 

2. Open Terminal from the Utilities menu 

3. Run:

This will tell you whether FileVault is actually enabled locally or not. 

You can also refer to Apple’s official guidance here: Apple FileVault Recovery Guide.  

Best Regards, 
Isabel Lora 
Hexnode UEM 

Load more
Save
Related Topics

Leaderboard

Profile photo of bram Champion image
bram
2815 pts
Profile photo of timo-liam Champion image
timo-liam
1805 pts
Profile photo of leo_scott Champion image
leo_scott
1777 pts
Profile photo of carter Champion image
carter
1760 pts
Profile photo of eliiza Champion image
eliiza
1742 pts
View all

Popular Tags

ABM (62)
Android (531)
iOS (395)
macOS (510)
Windows (374)
Apple TV (33)
App Management (408)
Enrollment (138)
Location (33)
Kiosk (253)
Scripts (98)
ADE (57)
OS Updates (83)
Android Enterprise (153)
View all