are the calls simply forgotten passwords? If so, I can't see how that can be attributed to any patching.
You do realize that even if you reset their pre-boot password, if you're using SSO, EEPC still knows the "correct" Windows password, so will keep relaying that until it expires?
I would grab a client log and see if there's anything reported.
Thanks for the response. Patching isn't the cause but it is the only time we 'force' users to reboot so our investigations have shown many of the users only end up rebooting at that time and hence run into the login prompt (and putting a high strain on the help desk the next morning).
I am aware the credentials are still cached since we are using SSO but the user still needs to know their password to access a number of other resources we have. I can put some more thought into how to verify the user has actually forgotten the password vs something going wrong with the system. I'd like the think it was just users forgetting theiir password but its hard to prove this one way or the other. I've pulled many client logs and have found a few issues but the majority are clean.
It would be helpful for us to hear if this is a common situation or if we have a technical issue that needs to be addressed. Since EEPC is so visible to the end user it gets blamed a lot.
take a look at the audit for one of the recovered users - look for change password events and logon events - if you see a bunch of incorrect password attempts, after a successful login attempt, with no change in the middle, you know it's a Keyboard-Chair interface issue.