you have to just waiting...
How are resetting the users password to a known state? if the pwd is not changed on the eepc protected machine, the change will go unnoticed.
With regards to the Domain password, users reset this themselves from their thin clients but this should still update the protected machine if they then log onto Windows on the laptop whilst connected to the domain, right? We now have to go through the encryption recovery process in ePolicy Orchestrator to reset the users password token so they can then manually set the Encryption password to the same as their domain password.
The agent is still talking to ePolicy Orchestrator because if a machine hasn't been on the network for a set amount of time it'll stop us resetting their password token and only let us do a machine recovery until they've connected to the network and the agent has 'checked in'.....at which point we can then sdo a password token reset to allow them to set the encryption password.
Also - if we build a new machine and install the EPO agent it doesn't encrypt the drive anymore.
If they change their password in Citrix, no this won't be seen by eepc (since eepc isn't running in Citrix).
the only time eepc gets to know your windows password us if you change it on an eepc protected system.