Cancelling an unwanted FileVault deferred enablement
There are sometimes occasions when FileVault deferred encryption has been enabled for a particular Mac and then needs to be turned off. Since FileVault is not yet turned on at this point, there is no obvious way to turn off this deferred enablement.
However, it is possible to turn off a deferred enablement if needed. For more details, please see below the jump.
Detecting if a deferred enablement is active
A. Using the fdesetup command line tool
To check for a deferred enablement using the fdesetup command line tool, run the following command:
fdesetup status
If a deferred enablement is active, it should report this along with identifying the enabled user (if one has been selected.)
B. Checking for /Library/Preferences/com.apple.fdesetup.plist
When a deferred enablement is active, a com.apple.fdesetup.plist file should be present in /Library/Preferences. This file will identify the path of the plist file which will store the the recovery key information, along with identifying the enabled user (if one has been selected.)
The contents of the file should appear similar to what is shown below:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8"?> | |
| <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | |
| <plist version="1.0"> | |
| <dict> | |
| <key>FileVault</key> | |
| <dict> | |
| <key>Defer</key> | |
| <true/> | |
| <key>OutputPath</key> | |
| <string>/path/to/recovery.plist</string> | |
| <key>Usernames</key> | |
| <array> | |
| <string>username</string> | |
| </array> | |
| </dict> | |
| </dict> | |
| </plist> |
Turning off a deferred enablement
To turn off an active deferred enablement, please use the following procedure:
1. Run the following command with root privileges.
fdesetup disable
Note: The fdesetup output will report that FileVault is already off and not mention anything about the deferred enablement.
2. Reboot the Mac.
3. After the reboot, run the following command:
fdesetup status
It should report the FileVault is off and not include information about a deferred enablement.
This procedure should also remove the /Library/Preferences/com.apple.fdesetup.plist file. If the com.apple.fdesetup.plist file is still present following the reboot, remove the /Library/Preferences/com.apple.fdesetup.plist file and reboot again.
Leave a comment
Recent Comments
 | Ben LeRoy on Losing a giant |
 | Peter-Erik on Downloading installer packages… |
 | nathanhaggard on Losing a giant |
 | andras0602 on Disabling login window clock d… |
 | Jeff on Losing a giant |
Der Flounder 
You’re the best. Instructions to ditch the deferred enablement worked like a charm.
It disabling this deferred enablement but after few logins it appears again ;(((((
@Aleksandr – make sure the user account is not a “mobile account”. I was running into this issue and ran the script here: https://derflounder.wordpress.com/2016/12/21/migrating-ad-mobile-accounts-to-local-user-accounts/ . The FV2 encryption finally was able to finish without error.