Is there a driving reason why you need the single sign-on functionality enabled? You can disable it by changing a registry key on the client. In doing so, the system will stop at the CTRL+ALT+DEL page. This should allow the machine to authenticate if the system is configured to do so (I do not use PGP, so I cannot confirm this).
- HKEY_LOCAL_MACHINE>SOFTWARE>PGP Corporation>PGP
- Add a new String Value named DISABLEWDESSO and add a value of 1 in the value field. Reboot.
Making the change, alters the behavior of the PGP passphrase should the user change the password. For example, if the user changes it using the CTRL+ALT+DEL option, it will sync with the PGP passphrase, if they change it in another manner, they'll need to boot once to PGP and enter the old passphrase, then upon successful login to Windows, it will by synchronized. Check this link for details.
http://www.symantec.com/business/support/index?page=content&id=HOWTO42010