Removed group and single userin ePO, as I had an account on the machine. Then removed my account/profile on the machine and user in ePO again. Later added the user in ePO, logged on as my user in Windows with bypass pre-boot. Then enabled pre-boot and same error EE0F0001. No pre-boot-auth for me.
Finally the problem is solved after that long time. Tier3 Support did a remote session and removed my user and multiple token data from the ePO-database. Thanks Dennis from Holland. So I encrypted a new machine, rebooted accessed PBA with the initial password and then changed it to my domain password and booted. SSO works too, after Windows created my profile. Rebooted a couple times now and can't believe.
Will try it with 2 other users now.
The problem appeared when I switched from patch1 to patch2. My guess is, it was the wrong AD-Sync before. Same user, as only one exists in domain, and to diffent syncs. I changed the LDAP-sync settings too, as SSO did not work, because at PBA we had to use first name (space) name and at Winlogon the AD-username.
See the attached image. The first to users (id1 and 2) are the users with the problem. But I like to mention, that id31 has had the same problem one day after setting up, and it was not present with patch1. No idea what went wrong with this user, but problem was solved the same way.
UserID 1 and 2 are now no longer in the database, they have now ID89 and 90.
The only thing I see from the screenshot is the same TokenUUID beginning with 104. From this understanding the users with ID6 and 13 should have the same problem too. Those 2 users do not use EEPC till now, but belong to an assigned AD-group and are therefore synced already.
Maybe you can see anything from the screenshot and find out, what caused the problem.