MacOS Active Directory User and FileVault password out of sync

[Div]

Hello!

we are trying to manage MacOS via Workspace One and currently got a problem with the FileVault and Active Directory user. If we change our password on a windows pc, the user needs to fill in the old password for FileVault and the new one to be able to login. How can we fix this?

Thanks in advance!

[Patrick Gallagher]

The FileVault password is never going to update itself, it's always going to require user intervention. But you should move away from binding your Macs to AD and instead use the Apple Kerberos Single Sign-on extension. This will allow you to use local accounts, which are synced to AD.  The Kerberos extension would pick up that the passwords don't match and will prompt the user to sync. 

Binding to AD is no longer recommended by Apple. 

[Hao Xu]

My user used the single sign-on extension of Apple Kerberos to synchronize the AD password to the local password. However, once the user forgot the local password and AD password of his computer, which caused him to fail to log in to the system. When I logged in with the hidden administrator created by DEP, I could not change the password of the user's local account. The device is not logged in to the Apple ID, is there any other way to help the user reset the password?

[Zombie]

Stop binding your macs to AD. Apple hasn't recommended this in years. You should use something such as PSSO or even a method such as xcreds or Jamf Connect.