After you upgrade DE and enable Single Sign On (SSO), Windows users observe a new McAfee shield icon. This icon is overlaid on the user's logon picture on the Windows Welcome screen and appears as follows:

Previous versions of DE display this icon only at the first time the user logs on after enabling SSO. Turning off SSO removes the shield icon.
The DE credential provider now monitors
all logons, not just the first logon. The shield icon denotes that DE tries to capture logons through that credential for SSO or password synchronization.
The following is an excerpt from the
DE 7.1 Update 3 Release Notes:
Under the "New Features" section
"Detect and notify of password changes in Windows Active Directory
Drive Encryption users and Windows users are two separate entities, so changing a password in preboot changes the DE password only. Password changes made on an endpoint can be captured via DE and synchronized to the DE user. But, Windows password changes made within Active Directory can't be synchronized to the related DE user.
DE 7.1.3 can be configured via ePO policy to detect when a user’s password changes in Active Directory. Then when the event happens, a pop-up notification requests that the logged in user Lock (Win+L) and Unlock their screen. The action allows DE to capture the (new) Windows password and synchronize it to the DE password. This synchronization allows the user to log on through preboot with their (new) Windows password.
The introduction of this feature also adds the benefit of capturing SSO data for all logons, including screen unlocks. Otherwise, SSO data is captured for only the first logon after the system is turned on.
The combination of these two features makes sure that DE user passwords remain synchronized with Windows passwords always."
Under the "Enhancements" section
"Ignore DE password rules during password sync for Single Sign On (SSO)
Making sure that Windows and Drive Encryption passwords remain synchronized can be a challenge for some customer real-world deployments. Also, when password changes take place, to manage and message users can present additional overhead. Before DE 7.1.3, the password synchronization from Windows to DE silently fails if the Windows password doesn't meet the criteria as defined in the DE User-Based Policy. With this release, DE introduces the ability to ignore the User-Based Policy password settings when synchronizing passwords from Windows to DE. This ability helps to reduce password synchronization issues and help desk calls."
The above is expected behavior and there's no policy option to disable this feature.