UPDATE: 01/22/20 – This problem was reported as FIXED in the latest Mojave 10.14.6 Security Update 2019-002 (18G2022) & Catalina 10.15.2 Update. The fixed T2 BridgeOS version is 17.16.12551. Apple did not list the fix in the 10.15.2 or 2019-002 Security Update notes but DID put them in the AppleSeed 10.15.2 Beta 2 Update Notes. I can’t post them here, but you can check the AppleSeed Patch Notes portal or you can contact Apple Support to confirm if you need further information.
Final Verdict – After further investigation, the problem was NOT the user’s fault. After more users reported what happened during the update I found that the update stalled out during the BridgeOS update phase. The black screen is only supposed to last 2-5 minutes. In reality, the update stopped and the Mac would be on the same black screen for up to 1 hour. The user had NO CHOICE but to shut down the Mac. By that time it was already too late.
Users are Unable to Unlock FileVault 2 if the Mojave 2019-001 Security Update is Interrupted.
This issue was first reported about one month ago on the MacAdmins Slack. It was reported that after some users installed the Mojave 10.14.6 Supplemental Update #3, they were unable unlock their Mac with the FV2 Password or PRK. The issue was not widely reported though so it was thought to be a fluke.
Mojave 2019-001 Security Update
All this changed when the Mojave 2019-001 Security Update was released. MacAdmins started to report the problem again.
I have a Mac that just finished installing the 2019-001 Security Update. I can’t get past the FileVault 2 screen with the password or Personal Recovery Key.
MacAdmin User Report
More and more MacAdmins are starting to report this devastating 2019-001 FileVault can’t login issue.
Who, What, When, Where & Why Index
- 1. Affected Mac Hardware = T2 Machines
- 2. Affected macOS Build Versions UPDATE!
- 3. FileVault 2 Encrypted Machines Only. UPDATE!
- 4. Evidence? Reports of a Black Screen Followed by User Power Off
- 5. Can’t Login with FV2 Password or PRK
- 6. Investigation – Encrypted: ERROR -69808 – Confirmation?
- 7. Workarounds?
- 8. Should I block this update?
- 9. Will Apple fix this issue?
- 10. Issue Links
- 11. Credits
1. Affected Mac Hardware = T2 Machines
I have looked over many reports on the Apple Discussion Forums and MacAdmins Slack Chat and Jamf Nation Posts. It looks like only T2 Equipped Machines.
- 2019 MacBook Air
- 2018 MacBook Air
- 2019 15″& 13″ MacBook Pro
- 2018 15″ & 13″MacBook Pro
- 2018 Mac Mini
- 2017 iMac Pro
2. Affected macOS Build Versions
This issue affects the following macOS Updates.
- (18G103) Mojave Supplemental Update #3 – 9/26/19
- (18G1012) Mojave Security Update Released on 10/29/19
- (17G9016) High Sierra Security Update 2019-006 – 10/29/19
- (17G9016) High Sierra Security Update 2019-005 – 9/26/19
3. FileVault 2 Encrypted Machines Only. UPDATE!*
UPDATE! – We now have two separate reports of this happening when the Mac is NOT FV2 Encrypted.
If your Mac is unencrypted you should be fine.
* I have not seen any reports as of 11/09/19, that include a T2 Mac that was not encrypted.
4. Evidence? Reports of a Black Screen Followed by User Power Off
After the reports started to roll in, we started to investigate. One of the common threads is that users reported a problem with the update during the install.
- Black Screen – Users reported that the Mac looked like it powered down. They would try to power it back on, interrupting the install process.
- Black Screen with Apple Logo & Progress Bar Stuck – While the Update was installing, some users have reported that the update hung or stalled out. This was followed by a power down.
5. Can’t login with FV2 Password or PRK?
After the user powered down the Mac, they reported the following.
- Can’t login past FileVault 2 with my Password.
- Can’t boot the Mac up with the PRK.
In this situation the Mac is unable to boot up at all. The only thing that the user can do is boot to the Recovery Partition or Internet Recovery.
6. Investigation – Encrypted: ERROR -69808 Confirmation?
After booting to the Recovery Partition we tried to first mount the disk.
This did NOT work!
You can confirm the issue by typing in diskutil ap list
Volume disk4s1
| ---------------------------------------------------
| APFS Volume Disk (Role): disk4s1 (No specific role)
| Name: Macintosh HD (Case-insensitive)
| Mount Point: Not Mounted
| Capacity Consumed: 171872342016 B (171.9 GB)
| Encrypted: ERROR -69808
We would expect that the Encrypted status line should be:
FileVault: Yes (Unlocked) or FileVault: Yes (locked)
Note the Encrypted line. It should say LOCKED or UNLOCKED. Instead you get ERROR -69808
xartutil CLI Binary
You can also use the xartutil binary to check for the Encryption Keys.
xartutil --list
You should see 2 entries listed = This is a normal output
Total Session Count: 2
If you see
xartutil: ERROR: No supported link to the SEP Present = Not a T2 Mac
If you see
Total session count: 0 = The Encryption Keys are Lost.
7. Workarounds?
Currently no known workaround is available.
We have tried multiple things.
- Mounting the disk in the Recovery Terminal
- Mounting the disk in Disk utility
- Target Disk Mode
8. Should I block this update?
After Reviewing Multiple Reports, the issue only looks to have affected a small number of users. One MacAdmin said out of 150 machines, the issue only affected 2 of them.
I tested this issue out on a 2018 MacBook Pro.
- Powered Off during the first Black Screen.
- Powered Off during the second Black Screen
- Powered Off during the first Security Update Progress Bar
- Powered Off during the second Security Update Progress Bar
The BridgeOS Update and the 2019-001 Security Update installed successfully!
If you move forward with the update you can ask users not to interrupt the install process.
9. Will Apple fix this issue?
The black screen BridgeOS update process has been around since 2018. Something must have changed in the 2019-001 Security Update.
If you have this issue please report it to Apple ASAP.
10. Issue Links
TidBits – Adam Engst
https://tidbits.com/2019/11/06/dont-interrupt-security-update-2019-001-mojaves-installation/
Apple Discussion Form
- https://discussions.apple.com/thread/250807273
- https://discussions.apple.com/thread/250805525a
- https://discussions.apple.com/thread/250823769
Jamf Nation
11. Credits
- Jamf Nation User jhalvorson for the
diskutil ap listoutput - Jamf Nation User franton for the xartutil command.
- All MacAdmins Slack users who answered multiple questions that I had since I do not have a problem Mac to test with.
12. Contact Me
Please Contact Me if you have more information on this issue.
2019-001 FileVault can’t login
