We want to push an encryption policy that does both "management Account"
and "current or next user" functionality. We want the user to be the
only one to decrypt the device, but if they forget their password or
something else happens, we want to be a...