You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: NothingLasts1987
NothingLasts1987 Author
User level: Level 1
12 points

FileVault - Some Users Weren't Added

Upon the release of High Sierra, I performed a clean install. During the install, I chose to use APFS (Case-sensitive, Encrypted). When prompted to allow users to unlock the disk, I selected my user. Later on, upon rebooting, I was able to use my user id/password to unlock the disk. However, the next reboot and since then, my user id/password does not work to unlock the disk. I must select the disk and use the disk password to unlock it.


When navigating to 'Security & Privacy,' then 'FileVault,' I noticed a small yellow triangle with an exclamation point inside. Next to it reads; "Some users are not able to unlock the disk." with an "Enable Users..." selection box. After using the enable users box, I see my user with a green circle with a checkmark inside of it. Upon clicking "Done" I'm greeted with a box stating; "Some Users Weren't Added" followed by "The following users weren’t allowed to unlock this disk because an unknown error occurred: $username"


Anyone else experiencing this or know why it is happening?

Posted on Sep 27, 2017 10:23 AM

Reply
Question marked as Top-ranking reply
User profile for user: Matt Revelle
Matt Revelle
User level: Level 1
48 points

Posted on Oct 13, 2017 10:38 AM

Weird, so it looks like some forum mod removed my post with the solution... That's unfortunate and annoying...


There is a bug where new admin users don't have a secure token enabled which is required to gain permission to unlock a FileVault protected disk.


You can check whether a user has this permission by running this command in Terminal:

sudo sysadminctl -secureTokenStatus [username]


In my case, I had one admin user with the secure token enabled and another that wasn't. The enabled user would show up in the login window after a restart, the disabled user wouldn't. This is because the disk needs to be unlocked after a restart.


When logged on as the secure token disabled admin, I would see the "Unable to add one or more users to FileVault" error when trying to add that user via System Preferences.


The steps that worked for me, and which I shared earlier are:


1. Find the user that has the secure token using:

sudo sysadminctl -secureTokenStatus [username]

(for some reason, even the new admin was not getting the token created)


2. Make the user that has the token an admin user


3. Login as that user that has the secure token enabled


4. Change the password of the admin account that does not have the token. On changing the password, the admin now should also have the secure token. Now the user will be able to login at boot


These steps are taken from a comment in this discussion:

https://www.reddit.com/r/MacOS/comments/74ctc0/high_sierra_adding_new_admin_user _unable_to_boot/


I think I had to restart and try to add the previously disabled admin user to FileVault before it worked for me. So consider that as "step 5".


Hope that helps you.


(Apple forum mods, if you need to modify my post to meet some post guidelines please do so. But this solution is working for people and you're not helping by removing it. Thanks.)

View in context
8 replies
Question marked as Top-ranking reply
User profile for user: Matt Revelle
Matt Revelle
User level: Level 1
48 points

Oct 13, 2017 10:38 AM in response to soumya.ray

Weird, so it looks like some forum mod removed my post with the solution... That's unfortunate and annoying...


There is a bug where new admin users don't have a secure token enabled which is required to gain permission to unlock a FileVault protected disk.


You can check whether a user has this permission by running this command in Terminal:

sudo sysadminctl -secureTokenStatus [username]


In my case, I had one admin user with the secure token enabled and another that wasn't. The enabled user would show up in the login window after a restart, the disabled user wouldn't. This is because the disk needs to be unlocked after a restart.


When logged on as the secure token disabled admin, I would see the "Unable to add one or more users to FileVault" error when trying to add that user via System Preferences.


The steps that worked for me, and which I shared earlier are:


1. Find the user that has the secure token using:

sudo sysadminctl -secureTokenStatus [username]

(for some reason, even the new admin was not getting the token created)


2. Make the user that has the token an admin user


3. Login as that user that has the secure token enabled


4. Change the password of the admin account that does not have the token. On changing the password, the admin now should also have the secure token. Now the user will be able to login at boot


These steps are taken from a comment in this discussion:

https://www.reddit.com/r/MacOS/comments/74ctc0/high_sierra_adding_new_admin_user _unable_to_boot/


I think I had to restart and try to add the previously disabled admin user to FileVault before it worked for me. So consider that as "step 5".


Hope that helps you.


(Apple forum mods, if you need to modify my post to meet some post guidelines please do so. But this solution is working for people and you're not helping by removing it. Thanks.)

Reply
User profile for user: leroydouglas
leroydouglas
Community+ 2024
User level: Level 10
188,532 points

Sep 27, 2017 10:59 AM in response to NothingLasts1987

if you are familiar with terminal, than you may glean some info from the man page.


to enable or disable FileVault, to list, add, or remove enabled FileVault users, copy and paste:


man fdesetup

On HFS+ this behaves as normal, one caveat— the APFS may have broken the command line, and hopefully get sorted soon.

Apple Feedback http://www.apple.com/feedback/


With your same Apple ID you can sign up for a free Developers Account and start a conversation with Apple engineers

Bug Reporter https://bugreport.apple.com/

Reply
User profile for user: NOTashwin
NOTashwin
User level: Level 1
9 points

Oct 21, 2017 4:45 PM in response to NothingLasts1987

I was able to create a new user with a valid token by running the setup wizard again.

To do that, run this command in Terminal: sudo rm /var/db/.AppleSetupDone, and then reboot.


During setup, don't sign in with your iCloud account, and make sure to check the box that allows the new user to unlock your disk.


While you're logged in as the new user, change the password of your original user. Then log into your original user and run this command in Terminal: sudo fdesetup add -usertoadd [original_username]

Reply

FileVault - Some Users Weren't Added

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up