I got a call from my tier 1 colleague who says one of the user’s laptop were encountered a hardware malfunctioned where the laptop cannot boot, and he helped the user called Lenovo support to make an appointment to replacing the motherboard. One day a later the engineer from Lenovo replaced the motherboard for her and test it all good, but when the user login with her password to open Outlook and Teams client all got the same error message like below:
He searched for this issue and tried to clear TPM also made some changes to the Registry it just does not works, then escalated this case to me for a solution. Well, here are my thought process with actions: first run tpm.msc to checking whether the TPM is functional on this motherboard and what’s the spec version.
As per above screenshot, the TPM status is normal with version 2.0. Then try to re-clear the TPM within Trusted Platform Module Management Console.
Okay, restarted and login to test with Outlook client and Teams desktop client with same result. Then I login with my account on her laptop and configuring Outlook & Teams client all good, but when switching back to her Windows account still the same error message. So, her Microsoft 365 account with the device is okay, the only remain issue is her Windows account.
Can we do a re-build her profile? Yes, but it could cause more troubles if that does not work. Then I checking her device from Intune and I realized that we have BitLocker deployed by default (as it involved with TPM) so maybe I can revert back to the original state then turning back to corporate owned device to resolve this?
I’m starting to proceed with the following:
- Login with local admin account on her laptop.
- Decrypting the drive with BitLocker Drive Encryption.
- Go to Settings > Accounts > Access work or school > Disconnect the account and restart.
- Repeat step 3 to join the laptop to Azure AD.
- Perform the BitLocker encryption.
Then login with user’s Windows account and configuring Outlook & Teams client all good without error message.
After successfully resolved this case, I’m also checked MS doc regarding this issue with TPM. It proves that TPM play a big role in current modern device with Windows 10. “With Mobile device management (MDM) solutions can receive simple security assertions from the Microsoft Health Attestation service for a client without having to deal with the complexity of the quote or the detailed TPM measurements. MDM solutions can act on the security information by quarantining unhealthy devices or blocking access to cloud services such as Microsoft Office 365.” – Refer to How Windows uses the TPM – Windows security | Microsoft Docs
Many Thanks this worked a treat! PC can access company resources again 🙂