This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Transferring laptop to another user

New user to Safeguard. We have a laptop that was assigned to a user who has now left. We have re-imaged the latop and given it to a new user. When they log in, the Pop-up for a new Bitlocker code appears and they type a new code in and click Restart and Encrypt. However, this keeps appearing every time they login to Windows.

What is the correct process for deassigning it from someone, removing any keys etc and then assigning it to a new user?



This thread was automatically locked due to age.
  • Hi  

    It is not an issue with the user assignment because of the older user. When you reimage the laptop, all the configuration regarding any of the software will be vanished and no longer in effect.

    It is an issue with the communication part that the new user is not able to register himself in the Safeguard management server to get the keys and policies.

    Please check whether there is an issue with client-server communication. You can check the safeguard client for more details from it.

    Regards,

    Jasmin
    Community Support Engineer | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • Hi Ric,

    I suspect that there may still be information leftover in the TPM post re-image.

    To fix this issue, open up tpm.msc on the machine and clear the TPM under actions on the right panel.

    If the issue still persists, make sure that the drives on the machine are decrypted. Run "manage-bde -status" in an admin command prompt to see if there are any leftover key protectors.  They might need to be deleted with the command "manage-bde -protectors -delete C:".  Be careful with this command though as if the drive is encrypted this would mean all data on the drive is lost.

  • Yes, sounds as if TPM is in "lockout" and requires clearing. This will affect the setting of a new PIN as you've seen - it's not applying properly as the TPM isn't in a fit state. This often happens when the wrong PIN is used repeatedly. 

    I would also check BIOS mode. If it's in legacy/CSM and not in UEFI you may find that the laptop can't integrate with TPM properly. I'd also check that the TPM firmware is up to date - many can be upgraded to TPM2.0. 

    Personally we encourage all to reformat/wipe the laptop before it's passed to another user. You may wish to remove the hostname entry from AD too if you're going to rebuild it with the same hostname. The recovery key generated will not be the same as the old one. You'll not need to remove any keys/certs (and I wouldn't just in case you need to try and recover their data further down the road) as the new user will have their own keys/certs etc..

    Dependant on how many and how frequently you build /re-build laptops - I personally like to confirm that we DO have a recovery key within the console and that the client is actively reporting back to the console. If you include a policy within the configuration file, it is possible to start encryption before communication (and therefore sending the key) has taken place. Not normally an issue if this happens soon after, but i don;t have an encryption policy within my configuration for this very reason. Once the client communicates with the server the encryption starts - This way I know the comms are working and I WILL have the RK on the server (s)

     

    Hope this helps?

     

    Michael

  • Hi Michael

    Thanks for this, I tried clearing the TPM from within the BIOS. I also made sure it is running TPM2.0. So, within the BIOS it has been cleared and within Windows using tpm.msc it has been cleared. But when I log back into Windows and set a PIN (using numeric keys only) it restarts but does not come up with the Bitlocker login. It also still says "The PIN you entered in the Bitlocker Authentication screen did not match the PIN set earlier. Please set a new PIN and remember that Bitlocker only supports EN-US keyboard layout". 

    I thought all PINs would have been cleared so I don't know where it is now looking?

    Thanks

    Ric

  • Hi  

    I got your issue here. The issue is related to Intel PTT (Intel (R) Platform Trusted Technology with TPM 2.0 mode) Security Chip. It will happen even you'll try to enable the encryption manually.

    Please refer to this article which has steps provided to change the security chip selection.

    Regards,

    Jasmin
    Community Support Engineer | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • Hi Ric. Thanks for the update. It does sound as I mentioned that BIOS is not in UEFI configuration and this marries up with what Jasmin posted too.

    So either her suggested workaround or put the BIOS IN UEFI mode.

    All the best

  • Hi Jasmin. I followed the instructions on the HP website to disable the Intel SGX feature and clear TPM on next boot. Saved and exited and it asked me to confirm and type in a code for verification. Did that, booted up, logged in and set a PIN, rebooted but the Pre boot Authentication still did not come up and it booted back to Windows upon where I got the same Bitlocker error message. Stuck at what else I can try now?

    Thanks

    Ric

  • Best to switch to UEFI if possible Ric? Jasmin's solution is a workaround really rather than a fix?

  • Hi  

    Michael is correct. The best solution is to switch to UEFI. That is the only solution available now for your issue.

    Regards,

    Jasmin
    Community Support Engineer | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • But if I do that then I will need to re-image the laptop? And if I try and re-image with it set to UEFI then it doesn't let me boot to MDT?