When SSO fails and you are left at the Windows 7 login screen:
1) do the Credential Tiles have the McAfee shield overlay on them?
2) do you have a Credential Tile for the last logged on user?
3) comparing the SSO that should happen at first logon (after a system boot) and subsequent logons / unlock - do they work / fail in the same ratio?
4) have you tried disconnecting the machine from the network to test if it is 'something' being synched to the machine that is affecting the SSO?
When I'm left at the Windows login screen, there are two icons (default Windows ones) -- one is "Other", and it just an empty blue box, which I need to click on in order to enter a username/password into the text boxes, and the other is something like "Smart Card", which we don't use, and has the default Win 7 smart card logo. There are no users with shields. I'm not sure what you're asking in number 2, but if you're asking if the last login user is listed on that screen, no.
My personal machine has always been in an undocked but on the network state. Other test machines, that are failing in the same ratio, are both docked and undocked, but have always been on the network.
I'm not sure what test scenario you're suggesting in #4 - should I sync, then disconnect from all networks and test SSO a few times?
Given the policy you have enabled (require EE logon and SSO), the combination of the absence of a Credential Tile labelled "Switch McAfee EE User" and absence of the McAfee shield overlay on the Credential Tiles you do see indicates that the EEPC Credential Provider isn't active at this logon. In question 3 above, I was really asking 'does the SSO fail only at the first logon after turning the machine on, or can it also fail when you logoff / re-logon or lock / unlock Windows?".
Do you know if you have any other 3rd party Credential Providers installed?
Thanks Ged, there are no 3rd party credential providers installed - the build is Vanilla Windows 7, with SP1 applied, and Office 2010 installed. There are some other insignificant changes such as backgrounds, etc. that shouldn't make a difference. SSO never works on the first login, but I'm told that's by design. After that, there's no consistency in when it works or doesn't (any obvious one anyway), I reboot and it works, then I reboot again and it doesn't the next few times, and then I reboot and it works again.
With the policy you've got, once you have logged onto Windows (it doesn't matter if the SSO worked or you had to do this yourself), if you then logoff or lock Windows, you should get prompted to do an Endpoint Encryption logon. With that complete, you should then be SSO'd into Windows. Does this work for you or do you get intermittent success / failure with this 're-logon' SSO behaviour?
BTW are you using 32 or 64 bit Windows 7?
Some more info about my last post. Here are the credential providers installed. Also on our image is PowerBroker from BeyondTrust, which isn't a credential provider, it's used to elevate applications rights by policy.
Smartcard Credential Provider
Smartcard Pin Provider
WinBio Credential Provider
When I lock my machine, I get the McAfee lock screen and the "Unlock SSO" works 100% of the time.
We're 100% 32-bit.