• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 10574
  • Last Modified:

Locked out of Computer by TPM

Hello!
A laptop i have been using has the system drive encrypted with bitlocker and requires me to enter a tpm pin before bootup. Now this has worked fine for over a year- i occasionally would type in the wrong pin and it would ask me to retry or lately  prevent me from entering another pin telling me "Too many incorrect PINs have been entered" and that I will be temporarily locked out to prevent me from guessing the PIN. After an hout or so i would then try again and it worked fine.
About 10 days ago i accidentally misstyped the PIN again but now the lockout doesn't seem to reset its timer. I gave it the usual hour or two and as these periods turned out not to be enough i left the notebook untouched for a week but the lockout is still active.

The error message at the startup ("Too many incorrect PINs have been entered") gives me two options: ENTER=Retry (pointless) or ESC=Recovery which brings up Windows Boot Manager telling me "Windows failed to start" and that i should insert the Windows Installation Disc and click "Repair your Computer", i did this and chose the "Startup Repair"  option it wasn't successful.

The Computer is not part of a domain and i have the TPM owner file on a USB disk.
At this point, i am just wondering: is there a way to access my notebook again? Maybe some of you may share some insight.
0
Peter_Fr
Asked:
Peter_Fr
  • 4
  • 3
  • 2
  • +1
2 Solutions
 
schima_czCommented:
Have You tried put USB with file to laptop and boot?
0
 
Peter_FrAuthor Commented:
Yes, i tried booting with the USB disk inserted, the tpm error and options structure doesn't change. There is no option to use the tpm owner file to reset the lockout.
Booting from the USB disk doesn't work of course.
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
Pull the drive and put it in another desktop computer running Windows 7.  When you attempt to access the drive, you SHOULD be prompted to enter the key.  Then you can get your data off it.  Then (to be safe), install another hard drive and re-install Windows. (If you don't want to be safe, then just use DBAN and WIPE the old drive. And in the future, if you have these types of problems, correct them, don't just accept them - entering a key at bootup is NOT normal activity.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
schima_czCommented:
leew: Entering PIN before bootup is one of security option. There are some combinations you can use (TPM only, TPM + PIN, TPM + PIN + USB Key, TPM + USB Key, USB Key).
Peter_FR: Atention from Microsoft Technet:
When using BitLocker with a TPM, it is recommended that BitLocker be turned on immediately after the computer has been restarted. If the computer has resumed from sleep prior to turning on BitLocker, the TPM may incorrectly measure the pre-boot components on the computer. In this situation, when the user subsequently attempts to unlock the computer, the TPM verification check will fail and the computer will enter BitLocker recovery mode and prompt the user to provide recovery information before unlocking the drive.
0
 
Peter_FrAuthor Commented:
Leew, as schima_cz mentioned, having a preboot pin authentication is a feature of TPM and not a problem, as is the temporary lockout after entering a wrong pin to prevent dictionary attacks.
My problem is that i have been locked out for over a week and i am trying to find a way to reset the lockout with the TPM owner file. Of course i can always put the drive in another machine, get the data off of it with the Bitlocker recovery key and clear the TPM but that can't possibly be the correct way to deal with a TPM temporary lockout if you have the owner file?

Schima_cz, thanks for the heads up from microsoft but that is not the case with the laptop here. Bitlocker and tpm have been working fine on that machine for over a year.
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
sorry, I thought you were talking about the prompt to enter the codes when something goes wrong.  The PIN is something TYPICALLY configured in AD and as such, not a feature I'm usually implementing at the client where we use bitlocker.  (The problem I thought you were referring to is common to when, for example, you update BIOS without first suspending bitlocker).
0
 
schima_czCommented:
Hi Peter_Fr
again from Microsoft Technet
Most manufacturers use the PIN authentication failure count to exponentially increase lockout time to the PIN interface. However, each manufacturer has different policies regarding when and how the failure counter is decreased or reset.
So, You need to discover manufacturer of Your TPM and request support from manufacturer.
0
 
McKnifeCommented:
Hi.

Please read http://support.microsoft.com/kb/926187 - this offers insight.
First: if you hit ESC, you should have been taken to a screen where you could use the bitlocker recovery key (not the TPM owner password) to access and boot the computer.
Second: if ESC does not get you there (very odd), you still have option 3 - but alas, this will only be possible if we have the system running! So no use here, but good to know that this script exists.

Then, please try to mount the drive to another computer using the bitl. recovery password. Then you could decrypt it there and it should boot. You might even succeed by mounting it and suspend bitlocker (without decrypting) - never tried this scenario. Good luck.

Another thing, by the way: Leew wrote
The PIN is something TYPICALLY configured in AD and as such, not a feature I'm usually implementing at the client where we use bitlocker.
I would always recommend to use a PIN. Always, because it is A) recommended by MS and B) the only way to protect against cold boot attacks on TPM protected bitlocked drives.
So, I would conclude, it is not typically used in connection with AD but typically used if protection is taken serious.
0
 
Peter_FrAuthor Commented:
Hey McKnife

Thanks for the link, i have seen that site and tried the solutions as far as i could. The non-working recovery mode really is odd, you are right. Yesterday I took the drive out and put it in another machine, tried to unlock it with manage-bde.exe and it wouldn't. I'm pretty sure i have the correct recovery password as i stored the bitlocker generated file in several different locations and compared it to the other versions. So again, very odd.

@schima_cz, i will be phoning Lenovo about this problem in the coming days. Thank you for the suggestion.

Going to report back as soon as i have some results (or ran out of options:).
0
 
Peter_FrAuthor Commented:
So, still no success unlocking the drive. Something went seriously wrong here but i don't have time to figure it out so i gave up on it. I accepted the solutions that should have worked, hope that's alright. Many thanks to you guys.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 4
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now