This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Transferring laptop to another user

New user to Safeguard. We have a laptop that was assigned to a user who has now left. We have re-imaged the latop and given it to a new user. When they log in, the Pop-up for a new Bitlocker code appears and they type a new code in and click Restart and Encrypt. However, this keeps appearing every time they login to Windows.

What is the correct process for deassigning it from someone, removing any keys etc and then assigning it to a new user?



This thread was automatically locked due to age.
Parents
  • Yes, sounds as if TPM is in "lockout" and requires clearing. This will affect the setting of a new PIN as you've seen - it's not applying properly as the TPM isn't in a fit state. This often happens when the wrong PIN is used repeatedly. 

    I would also check BIOS mode. If it's in legacy/CSM and not in UEFI you may find that the laptop can't integrate with TPM properly. I'd also check that the TPM firmware is up to date - many can be upgraded to TPM2.0. 

    Personally we encourage all to reformat/wipe the laptop before it's passed to another user. You may wish to remove the hostname entry from AD too if you're going to rebuild it with the same hostname. The recovery key generated will not be the same as the old one. You'll not need to remove any keys/certs (and I wouldn't just in case you need to try and recover their data further down the road) as the new user will have their own keys/certs etc..

    Dependant on how many and how frequently you build /re-build laptops - I personally like to confirm that we DO have a recovery key within the console and that the client is actively reporting back to the console. If you include a policy within the configuration file, it is possible to start encryption before communication (and therefore sending the key) has taken place. Not normally an issue if this happens soon after, but i don;t have an encryption policy within my configuration for this very reason. Once the client communicates with the server the encryption starts - This way I know the comms are working and I WILL have the RK on the server (s)

     

    Hope this helps?

     

    Michael

  • Hi Michael

    Thanks for this, I tried clearing the TPM from within the BIOS. I also made sure it is running TPM2.0. So, within the BIOS it has been cleared and within Windows using tpm.msc it has been cleared. But when I log back into Windows and set a PIN (using numeric keys only) it restarts but does not come up with the Bitlocker login. It also still says "The PIN you entered in the Bitlocker Authentication screen did not match the PIN set earlier. Please set a new PIN and remember that Bitlocker only supports EN-US keyboard layout". 

    I thought all PINs would have been cleared so I don't know where it is now looking?

    Thanks

    Ric

Reply
  • Hi Michael

    Thanks for this, I tried clearing the TPM from within the BIOS. I also made sure it is running TPM2.0. So, within the BIOS it has been cleared and within Windows using tpm.msc it has been cleared. But when I log back into Windows and set a PIN (using numeric keys only) it restarts but does not come up with the Bitlocker login. It also still says "The PIN you entered in the Bitlocker Authentication screen did not match the PIN set earlier. Please set a new PIN and remember that Bitlocker only supports EN-US keyboard layout". 

    I thought all PINs would have been cleared so I don't know where it is now looking?

    Thanks

    Ric

Children