Solved

TPM locked out only early in the morning

Posted on 2013-06-13
9
9,300 Views
Last Modified: 2013-07-03
I have an HP Folio 9470m ultrabook that is causing some grief with BitLocker for one of our users who routinely comes into the office at 6:00 AM.  He attempts to log in using his BitLocker PIN and is notified that his password has been attempted too many times.  If I try to recreate this issue when I get into the office at 8:00 AM, I am unable to do so and everything works fine.  So this morning I decided to come in bright and early with him just to see this first hand.  What I've confirmed is that it does in fact seem as though the TPM is in a lockout mode.  BitLocker will not accept the PIN and states that a password has been attempted too many times.  I am able to bypass the PIN using a recovery key and boot to Windows, but when I attempt to launch the BitLocker management console, I receive an error that "the TPM is defending against dictionary attacks and is in a time-out period".

After doing a bit of reading up on this, I've found that this error message indicates that the TPM is in lockout, and that the only way to unlock is via the TPM Administration console, or by logging onto Windows using a recovery key and leaving the computer powered on for 20 hours.

So my question is this:  Why is this only happening at 6:00 AM everyday and then appears to be fine when we check things out at 8:00 AM?

Does anyone have any thoughts on this?
0
Comment
Question by:siskinds
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
9 Comments
 
LVL 81

Expert Comment

by:David Johnson, CD, MVP
ID: 39246396
Any security cam logs? Does the user have any domain logon time restrictions?
0
 
LVL 64

Expert Comment

by:btan
ID: 39247573
First in this current state, even if you tried to go in to the BIOS and clear the TPM, that will not resolve the issue. Waiting for the time-out period to expire is the only solutionas it is defined by manufacturer. The TPM will lock out for the entire time-out period and additional attempts at resetting the lock will fail. The 6am would potentially falls within that time-out period.  This MS article bring about the "anti-hammering" lockout period which I see relevance (see Method 1 and 3)

http://support.microsoft.com/kb/926187

===========
Method 1 - "...If you repeatedly retry a personal identification number (PIN) in a short period of time, you may increase the TPM lockout period. Also, as long as the TPM is locked out, you may be unable to gain access to the computer even if you enter the correct PIN. "

Method 3 - "...Some TPM devices may not reset the lockout period after a successful logon. Instead, these devices may store unsuccessful lockout attempts. In this situation, you may receive the lockout error message if you enter one incorrect PIN. Also, the lockout period may last for increasingly longer times..."
===========

As for resolution, to Reset TPM Lockout would get us back to original state. See link below or even in a/m Method 1-3 . But if you do not have the TPM owner password, there is back to original state. Note that The TPM owner password is configured when you first enable BitLocker on the computer. This password differs from the TPM PIN.

http://trekker.net/archives/how-do-i-fix-the-tpm-is-defending-against-dictionary-attacks-and-is-in-a-time-out-period/
0
 
LVL 64

Expert Comment

by:btan
ID: 39247578
Another to see if useful....
http://winintro.ru/tpmadmin.en/html/21a02891-8efe-462a-81ea-85482b3da000.htm

What should I do if I do not remember my TPM owner password?

It is possible that the TPM owner authorization hash value was saved to a file ending with a .tpm extension when the administrator originally took ownership of the TPM on your computer. Search your file system for a file ending with .tpm. If you printed your BitLocker recovery password, your TPM owner password may have been printed at the same time. If you cannot find your TPM owner password, you can clear the TPM and take ownership again. This should be done carefully because data encrypted with the TPM will be lost. If you are using BitLocker, make sure to suspend or turn off BitLocker before clearing the TPM....
0
Transaction Monitoring Vs. Real User Monitoring

Synthetic Transaction Monitoring Vs. Real User Monitoring: When To Use Each Approach? In this article, we will discuss two major monitoring approaches: Synthetic Transaction and Real User Monitoring.

 

Author Comment

by:siskinds
ID: 39247630
Thanks for the comments and suggestions guys - let me give you a little more background information.  

1. I've confirmed that the TPM lockout is clearing at a later time in the day.  The strange thing is that it is continually going into lockout mode at some point overnight.

2. I do have a valid .TPM owner password file which I am able to validate when the TPM is not in a locked state, but strangely, I am not able to use this file to reset a lockout at times when the TPM is actually locked.  I receive an error message which suggests leaving the laptop for an unspecified amount of time until the lock clears on its own.

3. We do not have any account lockout policies defined on the domain (not that they would be related to a TPM lockout anyways) and this user did not experience any login issues prior to receiving this new hardware.
0
 
LVL 64

Expert Comment

by:btan
ID: 39247747
I hope this is not hardware issues as it is not norm.  But it is dependent on tpm manufacturer policy..we are none the wiser. So if MS article stands, it is independent whether account lockout is configured. Nonetheless, not being able to reset or seeing recurrence of this after reset do render higher probability hw esp if other domain machine does not have this issue. I hope it is not time sync which is unlikely contributing any false positive but we are not sure of the tpm internal time clock though
0
 

Author Comment

by:siskinds
ID: 39247771
I am inclined to think that this may be hardware-related as well.  Perhaps disabling BitLocker and clearing the TPM ownership back to default could resolve this... likely worth a shot if these problems persist.
0
 
LVL 64

Expert Comment

by:btan
ID: 39247933
Agree do share with us
0
 

Accepted Solution

by:
siskinds earned 0 total points
ID: 39285403
Ultimately, the solution to this issue was to log on using the recovery key and leave the machine up and running until the lock cleared and then left it on for an additional 24 hours.  It doesn't make much sense to me, but since doing this, we have not had any issues with TPM lockouts on this machine.  Thanks for all of your input on this everyone.
0
 

Author Closing Comment

by:siskinds
ID: 39296013
Problem eventually cleared itself.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An introduction to the wonderful sport of Scam Baiting.  Learn how to help fight scammers by beating them at their own game. This great pass time helps the world, while providing an endless source of entertainment. Enjoy!
Sometimes clients can lose connectivity with the Lotus Notes Domino Server, but there's not always an obvious answer as to why it happens.   Read this article to follow one of the first experiences I had with Lotus Notes on a client's machine, my…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question