Yes, AD Sync happens hourly and SSO policy is enabled.

Is this happening on more then one client machine? I'll occasionally have this happen to one machine here and there and it requires a token reset.

You may try to lock and then unlock the computer after they change their password. That will push an event to the Agent to let it know it needs to update the credentials in ePO.

it happens on every newly encrypted machine. We are not comfortable in doing reset token for every machine that will be encrypted. And also we have machines that are from other region.

HAve any idea how to resolve this?

Sathish is correct. The very first time any user logs in they will have to enter in the default password or if you have this disabled in the policy they will have to create a new password that is temporary until they log into windows and the machine is synced.

Thanks for all your post.

I've tested to encrypt one test machine. Have my regular account login and activate EEPC. After successful activation, rebooted the machine. Log in with my username and my current password and it successfully booted. I'm expecting I'll be getting the same issue with other user.

My idea is, when encryption happens with netwok connectivity and activated, user's password will be synched to eepc. But when encryption started and stopped when user need to bring home the unit and encryption resumes, that's when the passwords don't sync in. And this is how offline activation works (based on eepc documentation). This is only my point of view. You can correct me if I understood the policy wrong.

Most of the user's that encountered login issues are those who bring their laptop and encryption is not yet completed. And when they arrived home or they already travel to other country, that's when I received calls for eepc login problem

If there will be any detailed or exact explanation on this, I will be very grateful.

Thanks again for all your help