Good day all,
We are about to deploy 10 Surface Pro 3's running Windows 8.1 Enterprise x64. We have enabled the TPM, enabled "Allow Enhanced PINS for Startup", "Pre-boot Keyboard" and turned on Bitlocker through the gui which recommended setting a PIN which I did.
Everything seems to work as it should, how can I be convinced TPM and PIN are working together? I seem to be able to punch into Bitlocker many bad passwords without warning or asking me to reboot which is does for all other laptops without tpm.
1. How many bad password attempts do I get with TPM by default before lockout?
2. Where is my *.tpm recovery key?
3. Why when the TPM locks out can I still gain entry by typing in the Bitlocker PIN (not recovery password)
4. I want TPM to lockout after 5 incorrect attempts.
To test the TPM working I disabled the TPM in the BIOS and on next reboot Bitlocker asked for the Recovery Password which to me proves Bitlocker private encryption keys are safely held in the TPM. Is this safe to presume TPM is working?
here is the output from manage-bde and get-tpm status
Size: 59.11 GB
BitLocker Version: 2.0
Conversion Status: Fully Encrypted
Percentage Encrypted: 100.0%
Encryption Method: AES 128
Protection Status: Protection On
Lock Status: Unlocked
Identification Field: Unknown
Key Protectors:
TPM And PIN
Numerical Password
TpmPresent : True
TpmReady : True
ManufacturerId : 1229346816
ManufacturerVersion : 5.0
ManagedAuthLevel : Full
OwnerAuth : u2uAKH0Sr+d98s+oGXLLU8DHUuc=
OwnerClearDisabled : True
AutoProvisioning : Enabled
LockedOut : False
SelfTest : {}