Windows Interactive Logon setting: Do not display last user name being enabled can cause the user to not be able to authenticate with Windows if Symantec Drive Encryption SSO password didn't sync with disk authentication.
Windows Interactive logon gets stuck into a state where it won't allow Domain logins and locks the user out of the machine.
Symantec Corporation is committed to product quality and satisfied customers. This issue is currently being considered by Symantec Corporation to be addressed in a forthcoming version or Maintenance Pack of the product. Please be sure to refer back to this document periodically as any changes to the status of the issue will be reflected here.
Known Work around for this issue would be to disable the Windows Interactive logon setting:Do not display the last username. This can be done through Group Policy or can be done on the local machine via Group Policy editor.
If you machine is stuck not allowing user to log in. Please power down the machine and attempt to login again using the old password at bootguard. Then you should be able to log in selecting different user than PGPsso user and authenticate (This only works if Fastboot is enable in power settings).
Alternately you could use a Recovery CD or Recovery USB and decrypt the machine. This will remove the encryption and the Single Sign on functionality and allow the user to log back into the machine with valid Windows credentials.