This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Transferring laptop to another user

New user to Safeguard. We have a laptop that was assigned to a user who has now left. We have re-imaged the latop and given it to a new user. When they log in, the Pop-up for a new Bitlocker code appears and they type a new code in and click Restart and Encrypt. However, this keeps appearing every time they login to Windows.

What is the correct process for deassigning it from someone, removing any keys etc and then assigning it to a new user?



This thread was automatically locked due to age.
Parents
  • Yes, sounds as if TPM is in "lockout" and requires clearing. This will affect the setting of a new PIN as you've seen - it's not applying properly as the TPM isn't in a fit state. This often happens when the wrong PIN is used repeatedly. 

    I would also check BIOS mode. If it's in legacy/CSM and not in UEFI you may find that the laptop can't integrate with TPM properly. I'd also check that the TPM firmware is up to date - many can be upgraded to TPM2.0. 

    Personally we encourage all to reformat/wipe the laptop before it's passed to another user. You may wish to remove the hostname entry from AD too if you're going to rebuild it with the same hostname. The recovery key generated will not be the same as the old one. You'll not need to remove any keys/certs (and I wouldn't just in case you need to try and recover their data further down the road) as the new user will have their own keys/certs etc..

    Dependant on how many and how frequently you build /re-build laptops - I personally like to confirm that we DO have a recovery key within the console and that the client is actively reporting back to the console. If you include a policy within the configuration file, it is possible to start encryption before communication (and therefore sending the key) has taken place. Not normally an issue if this happens soon after, but i don;t have an encryption policy within my configuration for this very reason. Once the client communicates with the server the encryption starts - This way I know the comms are working and I WILL have the RK on the server (s)

     

    Hope this helps?

     

    Michael

Reply
  • Yes, sounds as if TPM is in "lockout" and requires clearing. This will affect the setting of a new PIN as you've seen - it's not applying properly as the TPM isn't in a fit state. This often happens when the wrong PIN is used repeatedly. 

    I would also check BIOS mode. If it's in legacy/CSM and not in UEFI you may find that the laptop can't integrate with TPM properly. I'd also check that the TPM firmware is up to date - many can be upgraded to TPM2.0. 

    Personally we encourage all to reformat/wipe the laptop before it's passed to another user. You may wish to remove the hostname entry from AD too if you're going to rebuild it with the same hostname. The recovery key generated will not be the same as the old one. You'll not need to remove any keys/certs (and I wouldn't just in case you need to try and recover their data further down the road) as the new user will have their own keys/certs etc..

    Dependant on how many and how frequently you build /re-build laptops - I personally like to confirm that we DO have a recovery key within the console and that the client is actively reporting back to the console. If you include a policy within the configuration file, it is possible to start encryption before communication (and therefore sending the key) has taken place. Not normally an issue if this happens soon after, but i don;t have an encryption policy within my configuration for this very reason. Once the client communicates with the server the encryption starts - This way I know the comms are working and I WILL have the RK on the server (s)

     

    Hope this helps?

     

    Michael

Children