A device that is a member of a Token Authentication group and where the "TokenPassThru" policy is set to Yes does not perform Single Sign On (SSO) in Windows.
FDE version 18.104.22.168 does not capture the PIN at the preboot to pass the PIN to Windows. This allows Single Sign On (SSO). This is a known issue and will be addressed in the future release of FDE.
Currently, when a device is a member of a Token Authentication group and you authenticate to the FDE preboot with your PIN and SmartCard, you cannot pass the Windows GINA (Graphical Identification and Authentication) until you insert the PIN for your SmartCard.