Solved

Bitlocker TPM Lockout

Posted on 2014-01-02
22
17,111 Views
1 Endorsement
Last Modified: 2014-02-01
Iam having issues with initializing the TPM. when I try and manually create the password it give me an error message saying initializing the tpm security hardware access is denied the tpm defending against dictionary attacks and it is in a timeout period. HOw do I get out of the time out period? There is no other option except for initialize TPM.

Thanks,
1
Comment
Question by:llesane
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 5
  • 4
22 Comments
 

Expert Comment

by:FlyingEagle855
ID: 39752466
Reboot into the system BIOS and under security find TPM and there should be an option to clear TPM. Then boot back into windows and in the TPM control panel initialize the TPM chip, you will be required to reboot. After which you should be able to run bitlocker encryption with TPM.

If you don't want to use TPM then in the BIOS TPM settings turn off TPM
0
 

Author Comment

by:llesane
ID: 39752587
That didnt work. I cleared then activated becasue it defaults to deactivate. it does not allow me to initialize it still give me that error msg.
0
 

Expert Comment

by:FlyingEagle855
ID: 39752613
Check this article and see if it helps: http://technet.microsoft.com/en-us/library/dd851452.aspx
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 

Author Comment

by:llesane
ID: 39752653
Thanks, but that doesnt not help. I only have the initialize TPM option. The other options are greyed out.
0
 

Expert Comment

by:FlyingEagle855
ID: 39752655
Okay need more information then, What is the PC vendor Make/Model and what Operating System?
0
 

Author Comment

by:llesane
ID: 39752662
With this message, I get the error cannot take ownership.
0
 

Author Comment

by:llesane
ID: 39752666
Dell latitude E6420 Windows 7 64 bit which is on a domain
0
 

Author Comment

by:llesane
ID: 39752906
0
 
LVL 64

Expert Comment

by:btan
ID: 39758252
From the forum, pls see

MBAM has been able to take ownership consistently after these steps. These have have worked so far for 6400, 4300, 6410 and 6320 models in our environment.

1. If the TPM is on, turn it off in the BIOS. (uncheck the TPM security box) Power off.
2. Enable the TPM and power off.
3. Check the BIOS and confirm TPM Security is checked and disabled is ticked.

You may also want to check out Dell CCTK in their main site

Best Practices for Remote Enabling of Trusted Platform Modules (TPM) on Dell Business Client Systems
http://media.community.dell.com/en/dtc/attach/tpm_best_practices%20-%20web%20post.zip

TPM for Dell Business Clients Using Self Contained Executable
http://media.community.dell.com/en/dtc/attach/enabling_tpm_with_cctk_sce.pdf
0
 

Author Comment

by:llesane
ID: 39759437
Just to confirm once I do this; I will then activate the TPM and continue with initializing the TPM in the OS?
0
 

Author Comment

by:llesane
ID: 39760311
Just an FYI this still doesn't work for me. After activating the TPM again in the BIOS. Trying it without activating now.
0
 

Author Comment

by:llesane
ID: 39760351
error message

I am still getting this error message after using your resolution.
0
 
LVL 64

Expert Comment

by:btan
ID: 39760959
Likely, the TPM is locked out due to too many incorrect attempts at entering the owner authorization or other authorization values. The TPM will lock out for the entire time-out period and additional attempts at resetting the lock will fail. You need to have the TPM owner password so that you can reset the lockout. Pls see

http://trekker.net/archives/how-do-i-fix-the-tpm-is-defending-against-dictionary-attacks-and-is-in-a-time-out-period/

More details from MSDN (Reset the TPM Lockout)
http://technet.microsoft.com/en-us/library/dd851452.aspx

Btw, you may want to catch the CCTK in attached pdf (also in the prev post link)

PREREQUISITES
1. TPM must be present.
2. Trusted Platform Module (TPM) must not be currently owned
3. TPM must be in deactivated state
4. BIOS Administrator Password has to be set

Dell Client Configuration Toolkit (CCTK) is a command-line-driven utility that can be used to configure BIOS settings on OptiPlexTM, LatitudeTM, and Dell PrecisionTM systems. Using CCTK you can configure the BIOS administrator password and the TPM enumeration and TPM activation states in a Pre-OS and Post-OS environment. For step by step instructions, see the APPENDIX.

APPENDIX
CCTK command line step by step:
Setup BIOS password: cctk --setuppwd=<New-password>
TPM enable: cctk --tpm=on --valsetuppwd=<BIOS password>
TPM activate: cctk --tpmactivation=activate --valsetuppwd=<BIOS password>
TPM check: cctk --tpm --tpmactivation
TPM-Best-Practices.pdf
0
 

Author Comment

by:llesane
ID: 39761134
Thank you for that information but like I explained previously there is not an option to clear TPM in the action panel in windows.  It only allows me to initialize the TPM. But when I try it gives me the above error. How can I unlock the TPM from the lock out period? How long does the lock out period last? Could I decrypt and the encrypt the drive again? Would it be best to reimage the drive? Maybe I'll try the CCTK option you provided. Suggestions?
0
 
LVL 64

Expert Comment

by:btan
ID: 39761281
It is more of reset ("Reset TPM Lockout") than to clear ("Clear TPM") tpm from the TPM Management (tpm.msc) snap-in. So if it is really not seeing either one, I do suggest "Initialize TPM" steps to be reviewed.
http://technet.microsoft.com/en-us/library/cc753140.aspx 

In all, the TPM should be in can be in one of the following states and we need it to be the last state to proceed to use bitlocker or in specific for the tpm actions. The owner password is to be set
-Unowned and turned off
-Unowned and turned on
-Owned but turned off
-Owned and turned on

For the TPM ownership status, this info is stored in below registry values. You may want to check out just to confirm state.
DWORD: OSManagedAuthLevel in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\TPM
e.g. 0-None, 2-Delegated, 4-Full

As for the lockout info, that varies from the manufacturer but the industry standards specify that the user is allowed at least one attempt to reset the TPM lockout by using the owner authorization value, even when the TPM is locked out. If the wrong value is used when attempting to reset the TPM lockout, on subsequent attempts to enter the owner authorization value, the TPM may respond as if the correct value is incorrect or respond that the TPM is locked out.

But there is actually Windows GPO defaults value to control the lockout parameters
-summary @ http://technet.microsoft.com/en-us/library/dn466535.aspx
-details of gpo @ http://technet.microsoft.com/en-us/library/jj679889.aspx

e.g. Standard User Lockout Duration  = default value of 480 minutes (8 hours) is used
( If the number of TPM commands with an authorization failure within the lockout duration equals a threshold, a standard user is prevented from sending commands that require authorization to the TPM.)

e.g. Standard User Individual Lockout Threshold = default value of 4 is used
( If the number of authorization failures for the user within the duration that is set for the Standard User Lockout Duration policy setting equals this value, the standard user is prevented from sending commands that require authorization to the Trusted Platform Module (TPM).)

e.g. Standard User Total Lockout Threshold = default value of 9 is used
(If the total number of authorization failures for all standard users within the duration that is set for the Standard User Lockout Duration policy equals this value, all standard users are prevented from sending commands that require authorization to the Trusted Platform Module (TPM).)

The CCTK is good but it go back to ownership and initialised state which the PDF also link back to Microsoft websites e.g.
http://technet.microsoft.com/en-us/library/cc749022(WS.10).aspx
0
 
LVL 64

Expert Comment

by:btan
ID: 39761284
Also Microsoft Technet also shared so it is advised to check back with the manufacturer of Your TPM and request support from manufacturer.

e.g. Most manufacturers use the PIN authentication failure count to exponentially increase lockout time to the PIN interface. However, each manufacturer has different policies regarding when and how the failure counter is decreased or reset.

There is Bitlocker's Manage-bde.exe which serve more like CLI
http://technet.microsoft.com/en-us/library/dd875513(v=ws.10).aspx

e.g. -autounlock - Syntax
manage-bde -autounlock {-enable | -disable | -ClearAllKeys} Volume [-ComputerName Name]

http://technet.microsoft.com/en-us/library/dd894351(WS.10).aspx
0
 

Accepted Solution

by:
llesane earned 0 total points
ID: 39763290
Thank you, I was able to de-crypt the drive then continue with manage-bde commands.
0
 
LVL 64

Expert Comment

by:btan
ID: 39763839
thanks for sharing
0
 

Author Closing Comment

by:llesane
ID: 39826053
None of the solutions got me to the point I needed.
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question