After you upgrade DE and enable Single Sign On (SSO), Windows users observe a new McAfee shield icon. This icon is overlaid on the user's logon picture on the Windows Welcome screen and appears as follows:

Previous versions of DE display this icon only at the first time the user logs on after enabling SSO. Turning off SSO removes the shield icon.
 

The DE credential provider now monitors all logons, not just the first logon. The shield icon denotes that DE tries to capture logons through that credential for SSO or password synchronization.

The following is an excerpt from the DE 7.1 Update 3 Release Notes:

Under the "New Features" section

"Detect and notify of password changes in Windows Active Directory
Drive Encryption users and Windows users are two separate entities, so changing a password in preboot changes the DE password only. Password changes made on an endpoint can be captured via DE and synchronized to the DE user. But, Windows password changes made within Active Directory can't be synchronized to the related DE user.

DE 7.1.3 can be configured via ePO policy to detect when a user’s password changes in Active Directory. Then when the event happens, a pop-up notification requests that the logged in user Lock (Win+L) and Unlock their screen. The action allows DE to capture the (new) Windows password and synchronize it to the DE password. This synchronization allows the user to log on through preboot with their (new) Windows password.

The introduction of this feature also adds the benefit of capturing SSO data for all logons, including screen unlocks. Otherwise, SSO data is captured for only the first logon after the system is turned on.

The combination of these two features makes sure that DE user passwords remain synchronized with Windows passwords always."

Under the "Enhancements" section