There were many fixes included in SEE 11.3.1 to address Autologon issues.  Although autologon works in most scenarios, for best results, Symantec strongly recommends upgrading to SEE 11.3.1 or above. 

Scenario 1 - TPM and Autologon - TPM PCR Events

Autologon can use TPM, if you have the TPM feature enabled within the SEE Client for Autologon, you will need to ensure TPM is up and running on the system itself.
If TPM is enabled in the Autologon client, but TPM is not configured for the system, the Autologon will not enable.

Before you go through the various troubleshooting scenarios, first check to make sure TPM is enabled and working on the system.

It was discovered that systems that use TPM 2.0 but use the lesser SHA1 algorithm will run into this issue with the "TPM" option configured for Autologon.  SHA1 is not considered secure and SEE will therefore stop autologon.  In order for Autologon with TPM to be considered valid, the system must use TPM 2.0 and use SHA256.

Solution: If you have systems that exhibit this behavior and uses TPM 2.0 with SHA1, disable the "Use TPM if available" option and create a new SEE Autologon client and the issue should go away.  Systems that use SHA256 are fine and should be compatible with this TPM integrity check.  This can happen even if using the "Autologon Infinite"

Scenario 3: Upgrading from a TPM-YES SEE Client to a TPM-NO SEE Client

Symantec Endpoint Encryption 11.2 introduced a TPM integrity check feature that disables the Autologon functionality at preboot if TPM has been tampered with as a security measure. 

Terminology:
When creating a client with the TPM option checked we will refer to this as a "TPM-YES" Autologon client. 

When creating a client with the TPM option unchecked we will refer to this as "TPM-NO" Autologon client.

For example, in the screenshot below, this would be considered a TPM-YES client Autologon client.

After upgrading to a version that included this feature, the machine would stop at the Preboot Authentication screen.  In scenarios where users have not logged in to register with Symantec Endpoint Encryption, authentication will not be possible.

Solution 1:  In order to avoid this issue, upgrade a TPM-YES system with a TPM-YES client and this will avoid the issue.

Solution 2:  If systems have already been affected by this issue and were upgraded from TPM-YES to TPM-NO, follow these steps:

Step 1: Run the following command to see the "TPM Usage" status and make note of this on the machine:
eedadmincli.exe --check-autologon --disk 0 --au "admin-username-here" --ap "admin-passphrase-here"

This will display "TPM Usage" and if TPM is enabled, the status will show "Yes".

Step 2: Before the system has been rebooted, move the machine into a policy on the Symantec Endpoint Encryption Management Server (SEEMS) that disables autologon.

Step 3: Click the "check-in" button in the SEE Management client, and then move the machine back into a policy where autologon is enabled, and click check-in again. 

This will show the correct status and should avoid the issue.

TIPS
If you're not sure if a machine is using TPM 2.0, the following command can help you understand this (Run as admin):

wmic /namespace:\\root\cimv2\security\microsofttpm path win32_tpm get * /format:textvaluelist.xsl

The "SpecVersion" shows the version of TPM being used.  In this example, "2.0, 0, 1.16" is being used, and is thus TPM 2.0.

In order to find out if a system is using SHA1 or SHA256, open the registry and look at the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices

On the right pane, look for "TPMDigestAlgID" and note the result.

SHA256:
Hex = b
Decimal = 11

SHA1:
Hex = 4
Decimal =4

If going through this article did not help, please contact Symantec Enterprise Support for more information.

Note: If your autologon client was disabled and you forgot to include the TPM option or forgot to disable the TPM option, it was required to uninstall and reinstall the client.  If you are on SEE 11.3.1 or above, you can now perform a reinstall of 11.3.1 and the TPM option will be enabled or disabled as expected.   Symantec recommends upgrading to 11.3.1 or above for best performance with upgrades.

Scenario 4: GPO Policy downloaded from machine is older than the SEE Client

The following is noted in the Release Notes for version 11.3.1 GA:

*After upgrading, the Autologon GPO policy updates are not synchronized on the client systems: After upgrading the Symantec Endpoint Encryption clients to version 11.3.1, the Autologon GPO policy settings are not applied on the client systems instead they fall back to Autologon install-time policy settings. [EPG-19981]

If you are not using the "Autologon Infinite" installer, this can disable Autologon due to incorrect policy, which may cause a mismatch, which will use local policy.  

Solution: To resolve this issue, after upgrading the server ensure that the GPO policy is applied on the client systems and only then upgrade the Symantec Endpoint Encryption clients. Generally the GPO policy is automatically applied on the client systems as per the configured GPO synchronization interval. Therefore, it is recommended that you upgrade the clients after the GPO policy is applied on the client systems.

For example, if you have SEE 11.3.1 MP1 installed on the SEE Management Server, then before the SEE 11.3.1 MP1 client is deployed to systems, make sure the 11.3.1 MP1 policy is downloaded via Group Policy Updates before the client is deployed.  If a SEE 11.3.1 MP1 client is installed and gets Group Policy updates for the 11.3.0 Autologon policy, the Autologon could get disabled.   

Group Policy updates typically happen every 90 minutes by default, so the likelihood of this happening is fairly low. Note: This issue will no longer be applicable if the GPO is already on 11.3.1 and beyond.  This happens only when coming from 11.3.0 and older.

Scenario 5: Upgrading from 11.3.0 GA to 11.3.1 MP1 while having no network connectivity to the SEE Management Server

Autologon could become disabled if you are upgrading from 11.3.0 GA to 11.3.1 MP1 using the Autologon "Admin Only" (aka "noautologon").  The Admin-Only client means that Autologon is disabled by default upon install, until it is enabled either via SEE Client Admin commands, or via Policy.  After installation, and before reboot, the SEE Client can check in with the SEE Management server to get this feature enabled right away in most cases. 

Scenario 6: Using the incorrect policy for the wrong version

If you manage Group Policy separately, such as using a third-party tool to manage GPOs, then you will potentially create the GPO Templates on a separate Windows server using a different SEE Management Server, export the template, and then upload to your third-party management tool to manage GPO.  If you use this method, there is potential to run into issues if the incorrect version of SEE policy was created.  For example, your GPO was created using SEE 11.3.0, but you have deployed the SEE 11.3.1 MP1 client.  Because 11.3.1 uses a new Autologon policy, this will revert the policy to "local".  If you are not using the "Autologon Infinite" installer, this can disable Autologon.  

Solution: If you do use a separate Windows server and different management server to create a GPO Template and then export these settings, make sure you do so with the newer version deployed.  For example, if SEE 11.3.1 MP1 client is the version you want to deploy to your endpoints, first make sure you create and apply the GPO to your policy tool so the 11.3.1 MP1 clients do not get the 11.3.0 policy.  Upload the new 11.3.1 MP1 Autologon GPO to your policy tool, and once this new GPO has been applied to endpoints, then deploy the SEE 11.3.1 MP1 clients.  

Note: This issue will no longer be applicable if the GPO is already on 11.3.1 and beyond.  This happens only when coming from 11.3.0 and older.