Some Macs in our environment are somehow in a state where no regular user account possesses a SecureToken. As such, there is no way to enable FileVault for any user, etc. etc.
Has anyone found a way to generate a new SecureToken for a system without having to erase and redeploy macOS?
i've had mixed results with this: in terminal run
sudo rm /var/db/.AppleSetupDone
Then reboot. This will take you through the regular setup screens as if its a new machine. The account created should have a secure token. You can then enable secureToken's for other users and then delete the temp account you just made.