Typically, no.
If you run into a situation whereby you've had to change a user's password via a different channel (like through AD), then SEE should pick up the change after the user has logged into Windows at least once, using the new password. Kinda like below:
- Admin changes user's password (for whatever reason)
- SEE's PBA does not know about the change as it is not network aware
- User logs into SEE's PBA using old password
- (Assuming the machine is on the Domain Network, then) Machine fails SSO as the creds provided do not match those requested by Windows
- User must log into Windows using the new password
- Tell user to log off and on again (which should casue SEE to resync the password)
- Reboot the machine to verify sync of passwords from Windows local cache to SEE
Alternatively, you could get a SEE Client Admin to unregister all SEE users from the target machine. This should cause SEE to bypass PBA until a user is registered, which means it should boot straight into Windows and let Windows perform the authentication. This can be performed by script (https://support.symantec.com/en_US/article.DOC9136.html), but requires the machine already be booted into Windows, so its usefulness can be limited.