8 Replies Latest reply on Nov 4, 2016 7:44 AM by Intel Corporation

    tpm reset not working

    GeorgeR

      I have a NUC5i5MYHE running windows 10 and bitlocker encryption on a Samsung 850 EVO SSD boot drive in Samsung encryption (edrive) mode.

      Due to what I think is a problem with display drivers, my old tv, and Real VNC plus using vpro features, I sometimes trip the bitlocker too many invalid pin attempts warning. I enter the recovery key and can boot windows. The problem is that sometimes the TPM is locked and the reset doesn't work. I get an error saying "Cannot reset the TPM lockout".

       

      I have a valid TPM owner file and in fact successfully used it a few weeks ago to reset the tpm. I have powered off as the TPM reset error message indicates to try, but it doesn't seem to work.

       

      Does anyone know how long the TPM will ignore the owner password after a lockout?

       

      Are there any other reasons I'd be unable to reset the TPM?

       

      Is there a group policy that controls the TPM owner password ignore interval?

       

      I am aware of the invalid user attempts group policies. I can't seem to find a policy for the TPM lockout. This seems to be controlled by the manufacturer.

       

      Thanks.

        • 1. Re: tpm reset not working
          Intel Corporation
          This message was posted by Intel Corporation on behalf of

          Hello, GeorgeR:


          I deeply apologize for the delayed answer for this matter, thread may have sneaked between our queue, still no excuse :/


          In this case, I have some things to be checked:


          1. Have you checked this link? https://technet.microsoft.com/en-us/library/dd851452(v=ws.11).aspx
          2. Is there a way you can disable one of the encryptions (hw or software) to see the behavior of the system.


          About the time for the TPM to ignore the password after lockout, the research didn't provide me with that infor, have you checked with Microsoft directly?


          It would also be good to check with them if using both hardware and software encryption can affect the behavior of bitlocker.


          Please let me know how it goes.


          Thanks,
          Esteban C

          • 2. Re: tpm reset not working
            Intel Corporation
            This message was posted by Intel Corporation on behalf of

            Hello, GeorgeR :

             

            I wanted to check, did my recommendations worked for this matter?

             

            I look forward to hearing from you.

             

            Regards,
            Esteban C

            • 3. Re: tpm reset not working
              GeorgeR

              Esteban,

               

              Looks like we are both busy, sorry for the delay.

               

              I tried to reset the tpm 4 days later, and it still would not work due to being in a dictionary attack lockout.

               

              #1. I had looked at that link and many more. The problem is that Microsoft says the TPM is controlled by the hardware vendor. Intel or the TPM manufacturer say the lockout is controlled by Microsoft.

              There is no setting in windows to set how long the TPM dictionary attack in TPM 2.0 will last. It's up to the hardware vendor, but information on what this timeout period is eludes me. All I want to know is how long the lockout is so I can wait that long, and reset my TPM with the lockout key. Microsoft will not have this information, it's a hardware function.

               

              #2. I cleared the TPM and reset the TPM that way.  Of course that's dangerous if I forget I have encrypted data that I forgot to decrypt. I'm working now, I just want to know in cases of TPM lockouts, where the TPM ownership key is ignored, how long do I have to wait to try the key again.

               

              Thanks.

               

              George.

              • 4. Re: tpm reset not working
                Intel Corporation
                This message was posted by Intel Corporation on behalf of

                Thank you for the answer, GeorgeR.

                I will be doing some research about this matter, will keep you posted!

                Regards,
                Esteban C

                • 5. Re: tpm reset not working
                  Intel Corporation
                  This message was posted by Intel Corporation on behalf of

                  GeorgeR :

                   

                  I just sent a PM to you regarding this, please check your inbox and proceed accordingly.

                   

                  Thanks,
                  Esteban C.

                  • 6. Re: tpm reset not working
                    Intel Corporation
                    This message was posted by Intel Corporation on behalf of

                    Hi, GeorgeR:

                     

                    Would like to double check if you were able to receive my PM?

                     

                    Hope I can hear positively from you soon

                     

                    Regards,
                    Esteban C

                    • 7. Re: tpm reset not working
                      Monkeybunt

                      I have actually seen this issue on other TPM chips as well. I haven't seen a reason for this so far, but a TPM Reset Lockout will not work even with the OwnerAuth Hash. The only way I have resolved this is by performing a Clear of the TPM after disabling the Bitlocker protectors on a device, restarting, initializing the TPM and then re-applying the Bitlocker protectors. Someone with knowledge on TPMs and why a dictionary attack blocks maintenance on the chip, without showing any lockout attempts would be appreciated.

                      • 8. Re: tpm reset not working
                        Intel Corporation
                        This message was posted by Intel Corporation on behalf of

                        Hi,

                         

                        I just sent a PM to you, Monkeybunt please check your inbox in order to proceed accordingly.

                         

                        Regards,
                        Esteban C