Laptop goe every time recovery & ask old password whil logine

Hi Team,
We have one client who is facing the issue on sophos 8.
Actually the user has change the password from outside domain network & having the safeguard 8.1 console.
Once he comes into the office and sync the sophos 8.1 client. At the starting login ,the sophos old password promt occurs,hence we have cancel then able to login to the safeguard client.
We have tried to delete the user certificate from the console & sync.
Afterthat we can see the new certificate at the sophos console. And till the issue is not resolved & laptop goes every time recovery . Can you please help on this issue.

Here we can see at the user site ,certificate is showing & new certificte is created after the sync.
Parents
  • This sounds like two issues - TPM lockout AND the cert issue. The cert issue (which you've done what I'd recommend) should be resolved now you've deleted their old cert with their outdated cached creds. However this is not associated with the constant request for the RK. 

    This is probably caused by a key protector missing - or the TPM being locked out.

    A device must have TWO key protectors really - Normally this is TPM chip AND the numerical password (the recovery key)

    If a laptop keeps prompting for the recovery key then the other protector is not useable/visable.

    This can happen when the TPM locks out (normally from too many failed attempts with the PIN) or the key protector has been removed.

    Once logged on (hopefully you've fixed the cert issue, and you'll not see that!) please run an elevated cmd prompt (Admin command prompt)

    Type

    manage-bde -status c: 

    This assumes your HDD IS C (most are but substitute if not)

    This will list a few things but include your Key Protectors.

    Please paste this back into this thread. It'll look a bit like this....(graphic from MS - note they've missed off the drive letter so it'll list all encrypted drives, not just C like I specified.

    If there's only Numerical password listed (this is the recovery key) then this is the issue, but lets try and do one step at a time!

Reply
  • This sounds like two issues - TPM lockout AND the cert issue. The cert issue (which you've done what I'd recommend) should be resolved now you've deleted their old cert with their outdated cached creds. However this is not associated with the constant request for the RK. 

    This is probably caused by a key protector missing - or the TPM being locked out.

    A device must have TWO key protectors really - Normally this is TPM chip AND the numerical password (the recovery key)

    If a laptop keeps prompting for the recovery key then the other protector is not useable/visable.

    This can happen when the TPM locks out (normally from too many failed attempts with the PIN) or the key protector has been removed.

    Once logged on (hopefully you've fixed the cert issue, and you'll not see that!) please run an elevated cmd prompt (Admin command prompt)

    Type

    manage-bde -status c: 

    This assumes your HDD IS C (most are but substitute if not)

    This will list a few things but include your Key Protectors.

    Please paste this back into this thread. It'll look a bit like this....(graphic from MS - note they've missed off the drive letter so it'll list all encrypted drives, not just C like I specified.

    If there's only Numerical password listed (this is the recovery key) then this is the issue, but lets try and do one step at a time!

Children
No Data