There is two methods that you can take to keep this from occuring:
1. Use the Product Policy option "Expire users who do not login" to expire users with the default password token. If the user has not rebooted and logged into Preboot for X number of hours, the preboot user account will expire requiring the user to perform an Administrative recovery with the assistance of the Help Desk. The expiry is unique to each machine meaning the user is not globally expired but rather expired only on that specific system.
2. Use the ePO Web API to inject passwords from a third party enterprise credential management utility. The commands are outlined in the MDE Scripting Guide (PD24869). This will allow you to inject users passwords directly into the ePO database.