I have a new EEM 5.2.5 & EEPC 5.2.5 environment with Windows XP & window 7 test systems.
When I attempt to log on a Windows 7 system with SSO enabled, everything works fine when the EEPC and Windows domain passwords match. However, if the user password gets reset somewhere other than on the windows 7 machine (by helpdesk, through Active Directory Users & Computers, or through a self-service website we use) then the next PBA SSO login hangs at a Windows screen that looks like the Credential Provider, but has no place to enter any data. At the EEPC Pre-boot screen I enter my username and old password. This gets past the PBA and begins the windows boot up process. At the point where I would expect the automatic user login to happen, I don't see any username/password/domain boxes and the process it just hangs. The only options on this screen are a blue icon on the lower left (the Ease of Access button) and a red icon on the lower right (shutdown and selector for sleep, restart, shutdown). I have windows logon options 1, 2, 4, 6, & 7 select for the Windows 7 system (a display of this is attached in a PDF file).
Now for the stranger part. While messing around with this, I managed to get around this by entering the username and old password at the PBA screen and selecting the "change password" box. I was prompted to change my password and I set it to the "new" windows side password. The system started up but displays a windows login error and then displayed the windows login screen. I was able to log in to windows at this screen and the PBA updated my credentials. This is more than I could expect normal end-users to follow.
I have another system running Windows XP that does not have the problem. On that system, when the PBA entered credentials don't match windows, it just prompts me to enter my windows login information and updates the PBA credentials.
Thanks in advance for any assistance.
I called the tech support guys and found out that the 5th item in the Windows Logon option is also required for SSO. After enabling item 5 "Endpoint Encryption logon component always active" and re-running my test, everything is working as expected on Windows 7. A new message stating the login password was invalid is displayed on what had been the blank (credential provider) screen, along with an OK button. Clicking on OK takes me to the Windows login screen. Enter the new windows credentials and I'm into windows and the Pre Boot information gets updated.
So, it looks like the necessary options for Windows 7 SSO are 1, 2, 4, 5, 6, 7. Windows XP seems to work fine with option 5 enabled or disabled, but tech support said that it should be enabled.