Problem: 

A user changes their AD password when it is expiring. After the AD password has been changed, WPS (Windows Password Sync) is no longer working.
When the WPS issue occurs, the user is unable to login to Preboot with their old password and the recovery password must be used.

Example:

  1. A user is asked to change their Windows password because it has expired.
  2. The user enters a new password that is rejected by AD because of password complexity or history rules.
  3. The user then enters another new password that is accepted by AD and becomes their Windows password. At this time, neither the old password nor the new Windows password can be used to unlock the drive.
Solution: 

There is a bug in Microsoft winlogon.exe that sends the invalid Windows password to synchronize to the drive.

Apply the Microsoft hotfix so TDM will not get invalid Windows passwords anymore. Then, reset the user password in ERAS and allow the user to re-sync their AD password to the drive.
The hotfix and more information are available at: http://support.microsoft.com/kb/2468353.  
Applying the hotfix prevents future WPS problems but does not fix the users’ password that has already been synchronized to the invalid Windows password.