none
Bitlocker TPM time-out - Unable to enter new pin RRS feed

  • Question

  • Hi,

    Owner has forgotten the TPM startup pin so I generated a  recovery key in MBAM and they can now access Windows 10. Went into Bitlocker admin and tried to set a new pin, but got a failure of "unknown error".

    I went to an elevated command line and tried: Manage-bde -changepin C: and again entered a new pin but this time received a more explanatory error of: 0x80280803 The TPM is defending against dictionary attacks and is in a time out period.

    Seems Win 10 handles pin owner password differently now, and there wasn't one when I tried to get it through MBAM.

    So.. is there any way to set a new pin / clear the pin /  reset timeout period?

    What would happen if I just clear the TPM from Windows?  

    I came across this from Ronald Schilf in response to another posters question about updating the TPM firmware.:

    1 Save your bitlocker recovery key

    2 delete the TPM protector on the command line:

    manage-bde c: -protectors -delete -type tpm

    3 clear/reset the TPM in tpm.msc

    now suspend bitlocker

    4 do the firmware upgrade

    5 re-add the tpm protector to the bitlocked drive

    manage-bde -protectors -add -tpm c:

    I was tempted to try this but the laptop isnt local and I didnt want to leave the user with a trashed machine.

    Any ideas?

    Many Thanks...

    Adi...

     

    Wednesday, February 5, 2020 6:19 PM

All replies

  • That procedure will work.
    Wednesday, February 5, 2020 9:31 PM
  • Hi,

    TPM Default maximum tries count is set to 10.

    OS (Windows) changes the setting to 32 after the TPM is provisioning (taken ownership) by the Operating System (OS).

    TPM lockout is set for 24 hours while the failure tries exceeds the maximum value.

    https://www.dell.com/support/article/sg/en/sgbsd1/sln304487/tpm-failure-tries-recovery-time-and-lockout-recovery?lang=en

    Please Note: Since the websites are not hosted by Microsoft, the links may change without notice. Microsoft does not guarantee the accuracy of this information.

    Similar case:

    TPM is defending against dictionary attacks and is in a time-out period

    a workaround but it is "after" the osd ending in error...

    1- Initialize-Tpm –AllowClear –AllowPhysicalPresence. If fail goto 2

    2- Restart;

    3- Goto BIOS > Security > Clear Security Chip ;

    4- Opening a Windows session;

    5- Goto TPM.msc;

    6- Initialize TPM;

    7- Rerun Initialize-Tpm –AllowClear –AllowPhysicalPresence);

    8- Launch OSD

    https://social.technet.microsoft.com/Forums/ie/en-US/7de9049e-4f42-41f0-b23a-a2904f47646c/tpm-is-defending-against-dictionary-attacks-and-is-in-a-timeout-period?forum=mdopmbam

    Good luck

    Regards


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, February 6, 2020 2:24 AM
    Moderator
  • Thanks for the responses guys... Can I get some clarity on a few points...

    Whats the difference between initialise TPM and clear TPM. ?

    When you run: manage-bde c: -protectors -delete -type tpm, what exactly is that doing?

    What happens if you disable the TPM in BIOS, will recovery key still get you in?

    What happens if you delete the TPM from device manager.

    To suspend Bitlocker from cmd: Manage-bde –Protectors –Disable C: ... What exactly is that doing?

    Many Thanks...

    Adi...




    Thursday, February 6, 2020 7:47 AM
  • The recovery key works at all times, no matter if you "tear out the TPM" or not.

    initialising a TPM means, making it ready after it came with factory defaults. Clearing is targeting a TPM that is already in use and, well..., clear its contents.

    You don't need to delete the tpm from dev.manager. If you do, windows will re-add it on next reboot.

    "Manage-bde –Protectors –Disable C:" suspends bitlocker by telling the key mechanisms to "stand down". Why would you need the "exact" meaning? Your procedure is standard, as described by Ronald. No worries as long as you have the recovery key.

    Thursday, February 6, 2020 5:26 PM
  • Hi,

    The reason I want a better understanding is because I will be doing this remotely on a non technical users machine in a far away country on a fairly tightly locked down machine, and I haven't been in this position where a timeout doesn't appear to ever "time out" and I don't want to be stuck should something not go as planned...

    All I'm trying to do is set a new startup pin as he forgot the old one but the TPM timeout is preventing this. 

    The user has been using recovery keys to log in for weeks apparently, and the recovery key only lasts a few days then it needs a new one generating for him again, so there is a risk of losing the guys data... He thinks the recovery keys have been remaining valid for shorter periods of time but can't be sure... 

    BTW... I can't work out if the 24 hour TPM timeout means while the machine is switched on, or off, in sleep mode or while on the network...??? I thought initialising the TPM was reading and storing the volume keys, but I'm not overly clear on the whole encryption thing...

    If recovery key will work even without any TPM, I guess it will be OK... I remember pre Win10 replacing failed system boards in laptops with bitlockered hard drives, and it was a case of just putting in the recovery key then initialising the TPM in Windows console and that was it... If TPM init wasn't done it would ask for recovery key on every startup... 

    It will obviously be a major headache if something goes wrong...  I'm trying to plan for the worst... 

    Thanks for your input... Its appreciated. 






    • Edited by AdiBeeAdi Thursday, February 6, 2020 7:40 PM
    Thursday, February 6, 2020 7:29 PM
  • Adi, recovery keys are not generated in MBAM. They are generated on the machine and the local MBAM agent (at the machine) provides that key to the MBAM server afterwards.

    If you use MBAM to get such a key, MBAM has procedures to tell the client to generate a new key afterwards, so that the old key will not work for long, since normally, you would not want that a user EVER possessed such a key, since he may use it to decrypt the device at will. But there's no chance of losing access.

    Use remote control software, suspend bitlocker, clear the TPM, restart the machine and set a new TPM protector. A suspended bitlocked c: will boot without asking for anything.



    Friday, February 7, 2020 10:35 AM
  • Hi Ronald,

    I'm going to try it next week... 

    Thanks...


    Friday, February 7, 2020 4:03 PM
  • Hi Ronald,

    The TPM is in this time-out period that doesn't seem to end which is why I can't create a new start up pin.

    I'm wondering now if the TPM in this state will prevent any of the procedure you wrote from working.

    What I don't want to happen if say I suspend Bitlocker then am unable to resume it again, or get stuck at some other stage. 

    Can you definitely clear/reset the TMP while it is in time out? 

    Can you delete the TPM protector while it is in time-out? 

    Is there a way to overcome this timeout period, and do you have any idea why it stays timed out and doesn't resume normal operation? 

    I can understand that the TPM would try defend against brute force attack, but will it definitely be able to be cleared while in this state. 

    I'm not exactly clear on the different states such as take ownership, initialise, clear, reset  etc.. 

    Any other advice that would come in handy would be good... 

    Thanks... 

    Saturday, February 8, 2020 10:18 AM
  • With administrative rights or bios access, you may always clear the TPM, no matter what state it's in.

    It's mandatory to have a backup of all important data at all times, so that you don't have to fear anything, but nevertheless, this clearing and re-enabling will succeed.

    Monday, February 10, 2020 7:32 AM
  • Had a go today... Got the below results...

    .

     -From Command Prompt:

    manage-bde c: -protectors -delete -type tpm  

    "Volume C: Key Protectors of Type TPM

    ERROR No key protectors found"

    .

    manage-bde -protectors -add -tpm c: 

    "ERROR: an error occured.(code 0x80280803): The TPM is defending against dictionary attacks and is in a time out period."

    .

    manage-bde -protectors -disable c:   =  Key protectors are disabled for volume c:

    .

    manage-bde -protectors -enable c:    =  TPM is defending against dictionary attacks

    .

    .

     -Powershell

    Initialize TPM -Allow Clear -AllowPhysicalPresence = Error: The TPM Is  Currently Locked Out

    Clear-TPM  =  ERROR: An owner authorization value is required to be supplied

    .

    Clear TPM error I'm guessing is the way Win10 now handles (deletes) owner passwords.

    .

    Going to do a TPM clear from the BIOS tomorrow and see if that solves anything.




    • Edited by AdiBeeAdi Monday, February 10, 2020 4:16 PM spacing
    Monday, February 10, 2020 4:13 PM
  • Note: Bear in mind that this will delete the cryptographic information in the machine and you will lose the encrypted data, including any user data or documents stored on a Bitlocker protected drive.

    https://kb.stonegroup.co.uk/index.php?View=entry&EntryID=671

    😐

    Monday, February 10, 2020 8:13 PM
  • It's not useful to repeatedly doubt the info given here.

    As long as you have the recovery key, clearing the TPM is no problem. Again and again. So clear it at the bios.

    Tuesday, February 11, 2020 7:36 AM
  •  No disrespect Ronald, but I doubt anything until I have seen it work.

    I cannot understand why people on this forum would question why I question something or ask for exact details or tell me not to doubt the info given. 

    There are many sources, including the one I posted above and from Microsoft also that state data will be lost. 

    The TPM is in an unpredictable state and it will be bad not only if data is somehow lost, but also if the device is left unencrypted. 

    I appreciate the responses, but please don't tell me to blindly accept any information as gospel unquestionably. If you have knowledge to share and are happy to share that's great, but don't tell me to accept it without question, especially if there are credible sources whose advice differs from yours. 

    Tuesday, February 11, 2020 2:16 PM
  • "I doubt anything until I have seen it work" - that's a good state of mind, I agree.

    So please stage this: take a test machine, use bitlocker with tpm and PIN, lock out the tpm by entering the PIN incorrectly 32 times (several reboots needed to do that) and see if you can get back after using the procedure that I outlined.

    Tuesday, February 11, 2020 2:42 PM
  • I was planning to do a test beforehand but I'm away from the office and don't have access to a test machine.

    I think that on a laptop with a functional albeit locked TPM the procedure you outlined will work; but this users machine has a TPM stuck in lockout mode, and as he is non-technical and remote I'm being cautious about him losing access or the laptop being left in a non compliant state.

    I'll search for a list of Powershell and command line commands that may come in handy.

    I might schedule a call with the user and try again this week, and I'll let you know how it goes.

    Thanks again for your help.


    Wednesday, February 12, 2020 4:46 PM
  • Hi Ronald... What do you think of the thread below (as posted by Teemo earlier in this thread). 

    From there it appears that the TPM can't be cleared and made available while in lock out mode. 

    By the way, do you know what OSD is... On screen display? 

    https://social.technet.microsoft.com/Forums/ie/en-US/7de9049e-4f42-41f0-b23a-a2904f47646c/tpm-is-defending-against-dictionary-attacks-and-is-in-a-timeout-period?forum=mdopmbam

    Wednesday, February 12, 2020 10:02 PM
  • Adi... as far as I know, you may at any time clear a TPM. No matter what state it's in.

    Try it out.

    Thursday, February 13, 2020 7:31 AM
  • Hi Roland... See, I told you not to worry, it worked out fine... :o)

    Did the TPM  protector delete / suspend Bitlocker etc, then TPM clear through TPM.msc, did the forced reboot and was expecting a confirmation key press (allowphysicalpresence) but it just booted cleanly into Windows, then I re-enabled everything.

    Only extra thing I had to do not on the procedure was manage-bde -protectors -add c: -TPMandPIN to enable startup pin, then the manage pin option appeared in the TPM msc.

    Thanks again for your patience Ronald, I am doubtful no more... ish...

    Thanks Bagitman and Teemo too...

    :o)




    Thursday, February 13, 2020 4:11 PM
  • :-))
    Friday, February 14, 2020 7:15 AM