Blog: TPM

For some versions of the TPM chip found in the Lenovo ThinkPad T420, you will receive an Access Denied error message when attempting to encrypt the hard disk if you have a group policy enabled that restricts CD/DVD access.  Apparently, some models of TPM chip are seen by the system as a CD/DVD device, and will not function correctly if it has been disabled via Group Policy. 

The fix is to just disable the group policy until after the disk has been encrypted and the PIN has been setup.  Once it has been encrypted you can reapply the Group Policy and it will continue to function normally.



As most know, when using PGP to encrypt a hard drive, you enter your password at the boot screen and it will log you into Windows. After redeploying a laptop for a new user, PGP would not pass the new username thru to Windows. It would stop at the Windows credential prompt with an previously used username. After a fair amount of troubleshooting and research, it was determined the problem was with the TPM chip.

PGP can be configured to use password only or TPM and password to authenticate users. PGP on this laptop had been configured to use TPM and password. The TPM chip had become locked out by the previous user. Which prevented new users from accessing the TPM chip. So you could add a new user to PGP but it never would add the user to the TPM configuration and there was no error stating this.  Since the old user’s password was not available, it required deactivating the TPM chip. Before deactivating TPM, the administrator account being used changed to password only in PGP. If this change wasn’t made to the administrator account first, it would have locked out of PGP. TPM was deactivated and the laptop rebooted. TPM was reactivated and the laptop rebooted. The new user account was added back to PGP and rebooted again. This time PGP passed the username through to Windows without any problems.