Windows – Reason for TPM lockout

bitlockerencryptionSecuritytpmwindows

We have several Surface Pro 3 devices deployed with BitLocker enabled in TPM + PIN mode. The devices have a TPM 2.0 chip and are running Windows 8.1 Pro.

We have an issue where users are occasionally presented with the "Too many incorrect PIN attempts" error when they enter the correct PIN. They must then enter the recovery key to be able to continue the boot process. They then need to enter the recovery key every time they boot the device until we manually reset the TPM lockout using tpm.msc, which is obviously inconvenient.

For some reason the TPM is entering the lockout state, but it doesn't seem to be because of repeated incorrect PIN attempts. The fact the lockout doesn't eventually time out if you leave the device running also suggests it's for some other reason other than reaching the maximum number of incorrect authentication attempts. I understand the TPM 2.0 spec states that this should be the case, unlike the TPM 1.2 spec which left the exact behaviour to the vendor.

Running Get-Tpm indicates that the TPM is definitely in a locked state, but doesn't provide any information about the cause.

Does anyone know if there is anything I could do to try and determine the root cause of the lock outs?

Best Answer

The explanation I've read is that the TPM has no access to write any kind of log or cause for the lockout to the drive to which it's denying access. Sensible. Giving a reason could also present a security flaw.

The only information I've been able to find along these lines is the number of bad passwords entered. Open an elevated powershell prompt and enter:

get-tpm

Unlike the normal command shell, you'll have entries for LockoutCount and LockoutMax. This will give you a count of how many bad passwords were entered. I'm sure the users are convinced they're always entering the correct pin, but I've found there's usually a miscommunication.

That being said, there are MANY other lockout reasons. https://technet.microsoft.com/en-us/library/dn383583(v=ws.11).aspx Specifically "What causes Bitlocker recovery?" Anything from inserting a CD to letting the device's battery completely discharge can cause a lockout. This is something I'm attempting to resolve through a mixture of user education, helpdesk education, and evaluating which group/local policy settings to change. https://technet.microsoft.com/en-us/library/jj679890(v=ws.11).aspx

Related Topic