none
Reduce the TPM LockoutMax from 32 RRS feed

  • Question

  • Hi,

    Is it possible to reduce the TPM Lockout max from 32 attempts before lockout down to say 10 attempts?  I'm running TPM 2.0 and have Bitlocker PIN set on boot.  I find that I can attempt to guess the pre-boot PIN 32 times before the TPM enters to locked out state.

    I'm running Windows 10 v1511, the policies under Computer Configuration\Administrative Templates\System\Trusted Platform Module Services\ don't seem to make a differece to the TPM lockout Max setting if I run powershell command get-tpm the LockoutMax is always 32

    Thanks

    Monday, December 12, 2016 10:04 PM

All replies

  • Hi,

    Have you tried this policy?

    Computer Configuration\Administrative Templates\System\Trusted Platform Module Services\

    • Standard User Individual Lockout Threshold

      This policy setting allows you to manage the maximum number of authorization failures for the TPM for each user. This value is the maximum number of authorization failures that each user can have before the user is not allowed to send commands to the TPM that require authorization. If the number of authorization failures equals the duration that is set for the policy setting, the user is prevented from sending commands to the TPM that require authorization.

    • Standard User Total Lockout Threshold

      This policy setting allows you to manage the maximum number of authorization failures for the TPM for all standard users. If the total number of authorization failures for all users equals the duration that is set for the policy, all users are prevented from sending commands to the TPM that require authorization.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, December 14, 2016 2:42 AM
    Owner
  • Yes, as I said in the post.  These settings dont seem to make a difference in the pre-boot Bitlocker authentication page.
    Wednesday, December 14, 2016 10:14 PM
  • The GPO's don't work Declan,

    I also tried them on a Surface Pro 4 today and they don't do anything.

    Microsoft have a similar issue here: https://blogs.technet.microsoft.com/dubaisec/2016/07/10/tpm-lockout/

    I think it needs to be done per model via manufacturers tools.


    Blog: http://scriptimus.wordpress.com

    Thursday, December 15, 2016 1:04 PM
  • I don't think you can it's manufacturer and model dependent.
    Thursday, December 15, 2016 1:18 PM
  • Yes, possibly a different process per model.

    Blog: http://scriptimus.wordpress.com

    Thursday, December 15, 2016 2:02 PM
  • So it cant be done? 32 is the only setting on the Bitlocker PIN entry page? 
    Monday, March 20, 2017 9:39 AM
  • Anyone able to figure this out? I would also like to reduce this, as 32 attempts seems ridiculously high.
    Thursday, May 4, 2017 8:59 AM