Error EE0F0001 is a result of an invalid authentication attempt. After 3 invalid attempts the system will go into password entry disabled mode with a timeout, each additional incorrect login attempt the timeouts double. This is by design.
Your users should be able to use self recovery when they get locked out. Either by security questions or smartphone. Are they not able to self recovery?
Also please note the way passwords work in MDE. This may be causing some confusion. MDE
Overview
MDE passwords are separate from AD passwords. The system is Encrypted systems are configured to "sync" your a user's AD password to MDE once authenticated to the domain.
| Info |
|---|
For example, if a |
...
user's AD password is pass1 and sets their MDE password to pass2. pass2 will allow them to |
...
log in to MDE pre-boot authentication (PBA). At the windows login prompt user then enters pass1 (their AD password) and successfully |
...
authenticates to AD. Once this occurs pass1 overwrites their MDE password pass2. pass2 will no longer work for MDE PBA. If |
...
user attempts to use pass2 for MDE PBA |
...
the account will lock with timeouts. |
...
To resolve password and account lockout issues. Use self-recovery and set the MDE password to the current AD password to avoid confusion.
If self-recovery is not possible use administrative user recovery.