Hello @aoz987

In order to clear the state and to allow BitLocker to allow you more than 1 incorrect PIN attempts, you can follow this procedure here >> https://johnpenford.wordpress.com/2015/05/05/bitlocker-too-many-pin-entry-attempts/

You can read more here >> https://technet.microsoft.com/en-us/library/dd851452.aspx

Make sure you do have a printed copy of the Bitlocker encryption key (recovery key) because you may need to use it.

You cannot upgrade your TMP module from 1.2 to 2.0 just like this. Also, this will not improve or elevate your security level in practise.

Bitlocker could be bypassed by law enforcement three letter agencies and by trained hackers, as well as by knowledgable and resourse-able companies who have the tools but how likely is you falling into their hands ? Bitlocker, preboot authentication (PIN/pass) and Windows password can likely protect you in 90% of all common scenarios. If you have very sensitive information stored on this computer, you can apply extra encryption layer - like encrypted file container (file encryption) or better, do not store the information on the device at all if you suspect it might be accessible by someone else.

IT_WinSec - thanks very much for the replies;  I have downloaded both links and also as PDF's.

re: clearing TPM - I may attempt that;  I have IMAGE backups for protection, so I don't mind trying it.

BUT, that doesn't totally solve it;  future errant entries will recreate the same problem.

SOMEWHERE, from stuff read online, you can CHANGE the recovery time for the TPM, and reset the tpm lockout to have more errant attempts (or so I understood).

with the second reference you gave, I DID do the TPM.MSC, but in the options, could NOT find any option for "RESET TPM LOCKOUT".

IF I do GPEDIT.MSC, under administrative, there IS a TPM management section, but I am not familiar (or currently comfortable) with ENABLING some of those options, some of which do seem to relate to changing the lockout recovery times, etc.

ANY idea as to where documentation may exist, for the GPEDIT.MSC (group Policy) TPM Management items may be?

AGAIN, your replies are great.

ADDENDUM - I did read that with TPM 1.2, that if you let the machine run for 480 CONSECUTIVE minutes, that it will decrease the TPM ERROR count by 1 (and so on, for every 480 minutes).  This is eswsentially USELESS for my notebook;  I normally run it for 1 to 2 hours maximum.

I reset a new power plan, that is a "NEVER-OFF" plan, and let it run overnight, for 960 minutes so far.  BUT, I'm hesitant to test it (enter a wrong PIN) in hte event that I might be wrong, and thus increase the TPM ERROR count even further....

AGAIN, documentation is sorely lacking....

thanks

nick

Hi @aoz987,

In my opinion the default settings are OK.

Users are usually not expected to make mistakes in their encryption passwords. Default is 4 error attempts.

This article below will provide details for you and will tell you where to touch the settings to adjust it as per your wish:

>> https://docs.microsoft.com/en-us/windows/device-security/tpm/manage-tpm-lockout

>> https://docs.microsoft.com/en-us/windows/device-security/tpm/trusted-platform-module-services-group-...

This one may also be helpful > https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v1/how-to-reset-a-tpm-lock...

---

@aoz987 wrote:

IT_WinSec - thanks very much for the replies;  I have downloaded both links and also as PDF's.

 

re: clearing TPM - I may attempt that;  I have IMAGE backups for protection, so I don't mind trying it.

BUT, that doesn't totally solve it;  future errant entries will recreate the same problem.

SOMEWHERE, from stuff read online, you can CHANGE the recovery time for the TPM, and reset the tpm lockout to have more errant attempts (or so I understood).

with the second reference you gave, I DID do the TPM.MSC, but in the options, could NOT find any option for "RESET TPM LOCKOUT".

 

IF I do GPEDIT.MSC, under administrative, there IS a TPM management section, but I am not familiar (or currently comfortable) with ENABLING some of those options, some of which do seem to relate to changing the lockout recovery times, etc.

 

ANY idea as to where documentation may exist, for the GPEDIT.MSC (group Policy) TPM Management items may be?

 

AGAIN, your replies are great.

 

ADDENDUM - I did read that with TPM 1.2, that if you let the machine run for 480 CONSECUTIVE minutes, that it will decrease the TPM ERROR count by 1 (and so on, for every 480 minutes).  This is eswsentially USELESS for my notebook;  I normally run it for 1 to 2 hours maximum.

I reset a new power plan, that is a "NEVER-OFF" plan, and let it run overnight, for 960 minutes so far.  BUT, I'm hesitant to test it (enter a wrong PIN) in hte event that I might be wrong, and thus increase the TPM ERROR count even further....

AGAIN, documentation is sorely lacking....

 

thanks

nick

 

---

thanks for reply, i will reveiw these links.

QUESTION -

one of hte links refers to the MBAM - but can't find how to ACCESS that section (bitlocker administration section?)

any hints?

also, re: wrong entry - i make the PIN long, but then easy to mis-type something.

that's why I use KeePass for otehr password storage, so I do NOt have to type passwords for sites, etc.

I am working toward using a USB stick for the tablets, but one of the tablets has only ONE USB port, a USB-C, so that is my only access to the outside world, so I'm careful about currently using devices that need inserted/deleted.

BUT, a possible solution to that is MagNeo, a Magnetic USB-C connector that will do DATA, POWER, and HDMI.  It is in production, on kickstarter.

another one is MagC ...

anxiously awaiting one of these....

---

@aoz987 wrote:

 

QUESTION -

one of hte links refers to the MBAM - but can't find how to ACCESS that section (bitlocker administration section?)

any hints?

 

(...)

 

---

MBAM - Microsoft' Bitlocker Administraton Management tool for big companies and enterprise customers. Not designed for single users or small companies:

> > https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/

>> https://technet.microsoft.com/en-us/windows/hh826072.aspx

Also:

>> https://docs.microsoft.com/en-us/windows/device-security/bitlocker/protect-bitlocker-from-pre-boot-a...

>> https://docs.microsoft.com/en-us/windows/device-security/bitlocker/bitlocker-countermeasures

again, much thanks.  i'll look at these, but it looks more complicated than I wanted to tackle, just to set a couple parameters.

but will review anyway, in hopes of finding simple way to

1. reset TPM Lockout

2. set longer error intervals before TPM locks out or requires recovery key

onward to more education !

You are welcome !

Few more interesting readings:

Bitlocker without PIN or without USB key (TPM only)

or

Computer stolen while in working more or while hibernated or while in Stand by

Cold boot attach successful in less than 25 minutes >> https://jhalderm.com/pub/papers/coldboot-cacm09.pdf

Forensic tools available from government agencies or specialized companies > > http://www.darkreading.com/risk-management/forensic-tool-cracks-bitlocker-pgp-truecrypt-containers/d...?

Old bug (or design flaw?) - now patched >> http://www.computerworld.com/article/3005184/encryption/bitlocker-encryption-can-be-defeated-with-tr...

or my favourite  

>>