There are sometimes occasions when FileVault deferred encryption has been enabled for a particular Mac and then needs to be turned off. Since FileVault is not yet turned on at this point, there is no obvious way to turn off this deferred enablement.
However, it is possible to turn off a deferred enablement if needed. For more details, please see below the jump.
Detecting if a deferred enablement is active
A. Using the fdesetup command line tool
To check for a deferred enablement using the fdesetup command line tool, run the following command:
fdesetup status
If a deferred enablement is active, it should report this along with identifying the enabled user (if one has been selected.)
B. Checking for /Library/Preferences/com.apple.fdesetup.plist
When a deferred enablement is active, a com.apple.fdesetup.plist file should be present in /Library/Preferences. This file will identify the path of the plist file which will store the the recovery key information, along with identifying the enabled user (if one has been selected.)
The contents of the file should appear similar to what is shown below:
Turning off a deferred enablement
To turn off an active deferred enablement, please use the following procedure:
1. Run the following command with root privileges.
fdesetup disable
Note: The fdesetup output will report that FileVault is already off and not mention anything about the deferred enablement.
2. Reboot the Mac.
3. After the reboot, run the following command:
fdesetup status
It should report the FileVault is off and not include information about a deferred enablement.
This procedure should also remove the /Library/Preferences/com.apple.fdesetup.plist file. If the com.apple.fdesetup.plist file is still present following the reboot, remove the /Library/Preferences/com.apple.fdesetup.plist file and reboot again.
