After enable SSO, at client PC, user cannot use Ctrl-Alt-Del to change password.
The error message:
"Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain."
However, the new password does meet the domain password policy.
If disable SSO, users can change password through Ctrl-Alt-Del.
Does anyone know any policy setting would affect it?
Yes, it's probably password history.... They are trying to change their password to something they have already used recently and you have password history set in your GPO.
I tried many different new password that fulfill domain password policy in the GPO, but still can't.
If change password through Domain Controller, password can be changed.
Once I disabled SSO, then I can.
You need to conform to the EEPC password rules as well - if you've set them to be different from your domain, your users are going to have challenges.
History is usually the one which gets people in trouble - turn it off in EEPC if you're using password sync and let windows sort things out.
I already disable all password setting in UBP
Also, enable or disable "Synchronize Endpoint Encryption Password with Windows" in product setting policy, still can't change password.
Of course, if wanna "Synchronize Endpoint Encryption Password with Windows", have to change the password in Windows first, then the password would synchronize Endpoint Encryption password.
However, I CAN'T change password in Windows, so "Synchronize Endpoint Encryption Password with Windows" this option has no effect on my case.
The error message that your getting apears to be from windows, not mcafee eepc related. Have you checked your password restrictions in GPO? Have you tried using a different password, one that has for sure not been used before?
Of course, I tried. I tried many many many many different combination. I tried a long password with combination of uppercase, lowercase alpha, numeric, and symbolic characters. Not work.
If I disable SSO, any password combination that fulfill domain password GPO policy does work.
Also, the domain user is newly created. Never change password before.
Just crossing out the easy stuff, you may be surprised how often someone just forgets or doesn't want to try the easy steps.
Next thing is this only happening to the one user or all users?