Your configuration is correct.
SSO will not work if the user authenticates at the BG using WDRT/admin passphrase or LSR.
This is because PGP does not store the user passphrase in encrypted or cleartext form on the machine which might be considered a security risk my many.
PGP will pass on the credentials to login to Windows using SSO only when the password is provided by the user.
Changing/Resetting the Windows password is solely the responsibility of AD Admin or the User(in case of unmanaged) environment. Once you reset the Windows password, PGP will sync it for you so that you can again authenticate at the BG using the same.