When deploying a new Mac using ADE, the user first login with their Azure AD account then they get a prompt to change their temp password so they choose a new password and verify it, after that they get this window :
They enter the new password they have chosen and hit "Create account" !! isn't weird that they are getting this!!?
Also if they reboot their Mac, you know they need to enter first their FV password to unlock the disk but it doesn't work !!! I had to use PRK to unlock the disk then I got JC login window, entered the password they've chosen and booom they logged in !
so it seems we have an sync issue between FV password and local account password!
to solve it I had to go to Users and Groups preference pane and changed the password to something else and rebooted the Mac, it worked!
So this is happening i think because when the account signed in first using JC login window with Azure, the user got prompted to change their temp password. when their change it they can login but they can't unlock the disk "even if they have a secure token"
What is the solution for that? how can I avoid this from happening?
I have not tested this specifically, but in the past macOS has not liked temp passwords. There is a chance that the temp password change is breaking something in the workflow between creating the account and making a FV token.
My suggestion is to defer FV enablement, and allow the user to enable FV after 3 logins or whatever number works for you guys. This will allow the temp password be changed and to sync to the macOS keychain before FV is even enabled.