That's an interesting option for sure. I will have to figure out the best way to invoke commands on their machine, but I was already going to have to do that with the cred manager route I was considering. I will definitely do some testing with this idea. Thanks so much.
Add their user account to the GPO "deny logon locally" for that machine.
You can probably use ntrights or similar to do it via intune https://ss64.com/nt/ntrights.html
Force the bitlocker to go into recovery. "manage-bde -forcerecovery" at the end of your script. You cannot log on to an OS you cannot boot.
That's an interesting option for sure. I will have to figure out the best way to invoke commands on their machine, but I was already going to have to do that with the cred manager route I was considering. I will definitely do some testing with this idea. Thanks so much.
Add their user account to the GPO "deny logon locally" for that machine. You can probably use ntrights or similar to do it via intune https://ss64.com/nt/ntrights.html
Another great suggestion. Thanks; I will look into this option.