Relative to the issue described in the KB article and Community Threads below (and many others), how do other organizations handle support of EEPC protected with pre-boot authentication? Our desktop support team members are constantly getting locked out of their accounts. They work on hundreds of machines in any year, constantly logging in and out of EEPC protected machines, and by virtue of what they do are frequently connecting machines with outdated passwords to the network. Since EE has been like this since 2001 and the discussion around the issue has been vigorous surely someone has taken this on at some point and succeeded.
KB66015 New token data can be overwritten by older token data
after an incorrect login attempt in the preboot environment
They know how to perform boot-once procedure, if local support account has a password problem.
Complex password enforcement and long password expiry periods are also being used. No SSO.
Ours know how to do resets, they just get sick of doing it all week long. For them it's a hassle, for the organization it's additional cost.
Part of the solution in the end was to take them off SSO (thanks for the recommendation) by changing their EE usernames so they don't match their AD usernames . I also wrote a little app which "catches" their EE password resets and runs as a service that resets their password to that same value every 20 minutes, 24/7, until the next time they change it. Requires that they use a web form on our intranet as the front end for all their password changes in EE. Inelegant, but it's working. No lockouts for two days, which has never happened before. Thanks for your help.