The personal recovery key, generated when FileVault is enabled, must be escrowed in MDM to allow password resets on an encrypted Mac. ThemacOS Security Overviewstates, "For MDM-managed devices, the personal recovery key can be escrowed to enable password resets or disk unlocking by an administrator." Option B is an older method, C is an authentication credential not escrowed for this purpose, and D is for updates, not password resets.
[References:, macOS Security Overview, "FileVault Management" section., Apple Platform Deployment Guide, "FileVault and MDM" section., ]
Submit