We have a number of systems where we currently have Drive Encryption Preboot Authenticaton Disabled but the drives are encrypted. We now want to enable PBA on these systems but the user accounts on them are expired because the users never set passwords on their accounts. We have the "Expire users who do not login" option enabled in the DE password policy.
Is there a way where we can unexpire these accounts, without using an Administrative recovery, so that users would be able to use the temporary password to setup their account? If that is not the case, is there a way that we could effectively delete the account from the workstation or ePO, while leaving the drive encrypted, so that the account would resync and allow the user to perform their account setup?
Effectively we are trying to avoid having to do Administrative recoveries on 30+ machines just so that the end user can setup their DE account before we enable PBA.