Bitlocker with TPM and PIN testing?

Good day all,

We are about to deploy 10 Surface Pro 3's running Windows 8.1 Enterprise x64. We have enabled the TPM, enabled "Allow Enhanced PINS for Startup", "Pre-boot Keyboard" and turned on Bitlocker through the gui which recommended setting a PIN which I did.

Everything seems to work as it should, how can I be convinced TPM and PIN are working together? I seem to be able to punch into Bitlocker many bad passwords without warning or asking me to reboot which is does for all other laptops without tpm.

1. How many bad password attempts do I get with TPM by default before lockout?

2. Where is my *.tpm recovery key?

3. Why when the TPM locks out can I still gain entry by typing in the Bitlocker PIN (not recovery password)

4. I want TPM to lockout after 5 incorrect attempts.

To test the TPM working I disabled the TPM in the BIOS and on next reboot Bitlocker asked for the Recovery Password which to me proves Bitlocker private encryption keys are safely held in the TPM. Is this safe to presume TPM is working?

here is the output from manage-bde and get-tpm status

   Size:                 59.11 GB
    BitLocker Version:    2.0
    Conversion Status:    Fully Encrypted
    Percentage Encrypted: 100.0%
    Encryption Method:    AES 128
    Protection Status:    Protection On
    Lock Status:          Unlocked
    Identification Field: Unknown
    Key Protectors:
        TPM And PIN
        Numerical Password

TpmPresent          : True
TpmReady            : True
ManufacturerId      : 1229346816
ManufacturerVersion : 5.0
ManagedAuthLevel    : Full
OwnerAuth           : u2uAKH0Sr+d98s+oGXLLU8DHUuc=
OwnerClearDisabled  : True
AutoProvisioning    : Enabled
LockedOut           : False
SelfTest            : {}

February 18th, 2015 6:34am

Hi Paddy,

"1. How many bad password attempts do I get with TPM by default before lockout?"
It depends on the the TPM chips.
"Some TPM chips may not store failed attempts over time. Other TPM chips may store every failed attempt indefinitely. Therefore, some users may experience increasingly longer delays when they mistype an authorization value that is sent to the TPM"

"4.I want TPM to lockout after 5 incorrect attempts."
We can set the group policy "Standard User Individual Lockout Threshold " in this path (Check the detailed information of this policy):
Computer Configuration\Administrative Templates\System\Trusted Platform Module Services\

Here is a link for reference("About TPM lockout" part and "Use Group Policy to manage TPM lockout settings"part ):
Manage TPM Lockout
https://technet.microsoft.com/en-us/library/dn466535.aspx

"2. Where is my *.tpm recovery key?"
When we set owner of the TPM ,we will be given a chance to save the TPM passowrd .
And when the BitLocker recovery key is saved to a file, BitLocker also saves a TPM owner password file (.tpm) with the TPM owner password hash value.We also can save them to the AD (Check the group policy in the same path as before). Have you tried to save the recovery keys to a external media ?
Here are links for reference:
Reset the TPM Lockout (Check the first part)
https://technet.microsoft.com/en-us/library/dd851452.aspx?f=255&MSPPError=-2147217396

Windows Trusted Platform Module Management Step-by-Step Guide(Check "Step 2: Set ownership of the TPM" part )
https://technet.microsoft.com/pt-pt/library/cc749022%28WS.10%29.aspx?f=255&MSPPError=-2147217396

"3. Why when the TPM locks out can I still gain entry by typing in the Bitlocker PIN (not recovery password)"
When the TPM is locked out, it is also possible that the user will enter the correct PIN, but the TPM will respond as if the incorrect PIN was entered for a period of time.
Check the "When should I reset the TPM lockout" part .
Reset the TPM Lockout
https://technet.microsoft.com/en-us/library/dd851452.aspx?f=255&MSPPError=-2147217396

" Is this safe to presume TPM is working?"
From the output of the command line ,we can get the information that the TPM is working .It is not recommended to disable the TPM when the data is encrypted with TPM .

Best regards

Free Windows Admin Tool Kit Click here and download it now
February 19th, 2015 2:36am

Thanks for replying MeipoXu,

1. So Microsoft doesn't provide any information about the TPM lockout logic in its own Surface Pro 3?? I find this disturbing.

2. When I enable Bitlocker I am NOT presented with saving a TPM recovery key.

3. as mentioned, even though I have set the required TPM lockout policies the Surface Pro 3 allows me to continually present incorrect PINs attempts, and then immediately allows me to enter the correct PIN and proceed. This should not be the case.

February 19th, 2015 5:23am

Hi Paddy,

"1. How many bad password attempts do I get with TPM by default before lockout?"
It depends on the the TPM chips.
"Some TPM chips may not store failed attempts over time. Other TPM chips may store every failed attempt indefinitely. Therefore, some users may experience increasingly longer delays when they mistype an authorization value that is sent to the TPM"

"4.I want TPM to lockout after 5 incorrect attempts."
We can set the group policy "Standard User Individual Lockout Threshold " in this path (Check the detailed information of this policy):
Computer Configuration\Administrative Templates\System\Trusted Platform Module Services\

Here is a link for reference("About TPM lockout" part and "Use Group Policy to manage TPM lockout settings"part ):
Manage TPM Lockout
https://technet.microsoft.com/en-us/library/dn466535.aspx

"2. Where is my *.tpm recovery key?"
When we set owner of the TPM ,we will be given a chance to save the TPM passowrd .
And when the BitLocker recovery key is saved to a file, BitLocker also saves a TPM owner password file (.tpm) with the TPM owner password hash value.We also can save them to the AD (Check the group policy in the same path as before). Have you tried to save the recovery keys to a external media ?
Here are links for reference:
Reset the TPM Lockout (Check the first part)
https://technet.microsoft.com/en-us/library/dd851452.aspx?f=255&MSPPError=-2147217396

Windows Trusted Platform Module Management Step-by-Step Guide(Check "Step 2: Set ownership of the TPM" part )
https://technet.microsoft.com/pt-pt/library/cc749022%28WS.10%29.aspx?f=255&MSPPError=-2147217396

"3. Why when the TPM locks out can I still gain entry by typing in the Bitlocker PIN (not recovery password)"
When the TPM is locked out, it is also possible that the user will enter the correct PIN, but the TPM will respond as if the incorrect PIN was entered for a period of time.
Check the "When should I reset the TPM lockout" part .
Reset the TPM Lockout
https://technet.microsoft.com/en-us/library/dd851452.aspx?f=255&MSPPError=-2147217396

" Is this safe to presume TPM is working?"
From the output of the command line ,we can get the information that the TPM is working .It is not recommended to disable the TPM when the data is encrypted with TPM .

Best regards

Free Windows Admin Tool Kit Click here and download it now
February 19th, 2015 10:29am

Hi Paddy ,

"When I enable Bitlocker I am NOT presented with saving a TPM recovery key."
As the document mentioned :"When the BitLocker recovery key is saved to a file, BitLocker also saves a TPM owner password file (.tpm) with the TPM owner password hash value."

Have you checked whether there is a .tpm file in the location where you saved the Bitlocker recovery key ?

"set the required TPM lockout policies "
Would you please share the policy you have set  ,this one "Standard User Individual Lockout Threshold "?
As the document stated :"When the TPM is locked out, it is also possible that the user will enter the correct PIN, but the TPM will respond as if the incorrect PIN was entered for a period of time"

It is also recommended to ask for help from our Surface forum .They may have more resources to answer your questions .
Surface
http://answers.microsoft.com/en-us/surface/forum/surfpro3?tab=Threads

Best regards


  • Edited by MeipoXu Saturday, February 21, 2015 1:32 AM
February 21st, 2015 4:31am

Hi MeipoXU,

1. *.tpm recovery keys is not automatically output or generated when I enable Bitlocker or save the Bitlocker Recovery Key.

I can manually create a *tpm recovery key by running the C:\Windows\System32\InitTpm.exeand saving *.TPM recovery Key.

2. The local tpm polices work up until I change them a 2nd time and then the values seem not to have any effect.

I set them once and never touch them again all works fine.

3. I was highlighting that even when locked out the TPM was still ALLOWING the correct password access when in fact it should block.

Free Windows Admin Tool Kit Click here and download it now
February 24th, 2015 11:15am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics