Skip to main content
This article explains how to identify the cause of a login issue related to a password, resolve the situation (remotely or locally), and prevent future incidents.

Identify common causes

Login issues can be caused by:
  • A forgotten password after a period of inactivity or a recent change.
  • A typing error related to the keyboard layout (e.g., switching from AZERTY to QWERTY).
  • A change in security policies (complexity, length, or rotation requirements).
  • A SecureToken issue on macOS — some password prompts at the login screen are actually requesting a SecureToken-enabled account, not the user’s regular login password.

Diagnose and secure

Avoid repeated login attempts

Important: Ask the user not to attempt multiple incorrect logins. On macOS, several failed attempts may trigger Recovery OS, making password recovery more complex.

Verify password entry with the user

  1. Ask the user to type the password in a visible field (for example “Username”) to check the characters entered.
  2. Check the keyboard layout and input language:
    • macOS: System Settings → Language & Region → Input method
    • Windows: Settings → Time & Language → Language & Region

Check the applied password policy

Administrators can define security policies (complexity, renewal frequency, rotation, etc.). In Primo, go to Settings → Security → Password policies and confirm the rule applied to the user’s device. A recent policy may have required a password change.

Check SecureToken status (macOS only)

On macOS, some login prompts — particularly when unlocking FileVault, using admin-level features, or after a policy change — are actually requesting a SecureToken-enabled account, not the regular login password. A user may have the correct password but still be blocked if their account does not have a SecureToken, or if they are being prompted for a different (admin) account that holds the token. To check SecureToken status on the device:
  1. Open Terminal on the Mac.
  2. Run: 
    sysadminctl -secureTokenStatus <username>
  3. The output will show SecureToken is ENABLED or SecureToken is DISABLED for that user.
If SecureToken is disabled:
  • An admin user with SecureToken can grant it to another user: 
    sysadminctl -secureTokenOn <target_username> -password <target_password> -adminUser <admin_username> -adminPassword <admin_password>
  • Alternatively, you can use MDM → Profiles → Admin User Management to ensure a bootstrap admin account with SecureToken exists on all devices.
SecureToken is required for FileVault unlock and for granting other users permission to unlock encrypted volumes. If a user cannot unlock FileVault even with the correct password, SecureToken is the most likely cause.

Reset the password

Choose the appropriate option based on the device status.

Option 1 — Renew the password remotely from Primo

Requirements:
  • You are an administrator of your company space.
  • The device is enrolled in the MDM.
  • The device is powered on and connected to the internet (Online).
  • An administrator session exists on the device.

Option 2 — Use the linked Apple or Microsoft account

If an account is linked to the device, follow the vendor’s procedure:
  • macOS: Sign in with the iCloud account (see the Apple guide)
  • Windows: Sign in with the Microsoft account (see the Microsoft guide)

Option 3 — Unlock with the recovery key (FileVault / BitLocker)

Requirements:
  • The device is enrolled in the MDM.
  • The device is not connected to the internet or is not communicating with the MDM.
  • Encryption is enabled (FileVault on macOS / BitLocker on Windows).
  • The recovery key is synchronized.
Actions:
  1. Retrieve the recovery key from the device record in Primo → Information → Recovery key.
  2. Unlock the session locally using this key.
  3. Set a new password.

Option 4 — Fully reset the device

If none of the previous options work, the only solution is to fully reset the device. Warning: this process will erase all local data.

Prevent future incidents

To avoid future password-related login issues, implement the following actions:
  • Enable device encryption and ensure that each recovery key is properly stored.
  • Automatically create an administrator session on devices via MDM → Profiles → Admin User Management.
  • Plan and communicate security policy changes to your teams (effective date, complexity requirements).
  • Inform users ahead of any global password renewal.

Summary

If a user experiences a password-related login issue:
  1. Verify the password input and keyboard layout.
  2. Check the applied password policy.
  3. Choose the correct option: remote renewal, recovery key, or linked account.
  4. Implement preventive measures (encryption, admin session, policy communication).
The password-related login issue is now resolved.