Solved

Bitlocker TPM Lockout

Posted on 2014-01-02
22
12,527 Views
1 Endorsement
Last Modified: 2014-02-01
Iam having issues with initializing the TPM. when I try and manually create the password it give me an error message saying initializing the tpm security hardware access is denied the tpm defending against dictionary attacks and it is in a timeout period. HOw do I get out of the time out period? There is no other option except for initialize TPM.

Thanks,
1
Comment
Question by:llesane
  • 11
  • 5
  • 4
22 Comments
 

Expert Comment

by:FlyingEagle855
ID: 39752466
Reboot into the system BIOS and under security find TPM and there should be an option to clear TPM. Then boot back into windows and in the TPM control panel initialize the TPM chip, you will be required to reboot. After which you should be able to run bitlocker encryption with TPM.

If you don't want to use TPM then in the BIOS TPM settings turn off TPM
0
 

Author Comment

by:llesane
ID: 39752587
That didnt work. I cleared then activated becasue it defaults to deactivate. it does not allow me to initialize it still give me that error msg.
0
 

Expert Comment

by:FlyingEagle855
ID: 39752613
Check this article and see if it helps: http://technet.microsoft.com/en-us/library/dd851452.aspx
0
 

Author Comment

by:llesane
ID: 39752653
Thanks, but that doesnt not help. I only have the initialize TPM option. The other options are greyed out.
0
 

Expert Comment

by:FlyingEagle855
ID: 39752655
Okay need more information then, What is the PC vendor Make/Model and what Operating System?
0
 

Author Comment

by:llesane
ID: 39752662
With this message, I get the error cannot take ownership.
0
 

Author Comment

by:llesane
ID: 39752666
Dell latitude E6420 Windows 7 64 bit which is on a domain
0
 

Expert Comment

by:FlyingEagle855
ID: 39752682
0
 

Author Comment

by:llesane
ID: 39752906
0
 
LVL 61

Expert Comment

by:btan
ID: 39758252
From the forum, pls see

MBAM has been able to take ownership consistently after these steps. These have have worked so far for 6400, 4300, 6410 and 6320 models in our environment.

1. If the TPM is on, turn it off in the BIOS. (uncheck the TPM security box) Power off.
2. Enable the TPM and power off.
3. Check the BIOS and confirm TPM Security is checked and disabled is ticked.

You may also want to check out Dell CCTK in their main site

Best Practices for Remote Enabling of Trusted Platform Modules (TPM) on Dell Business Client Systems
http://media.community.dell.com/en/dtc/attach/tpm_best_practices%20-%20web%20post.zip

TPM for Dell Business Clients Using Self Contained Executable
http://media.community.dell.com/en/dtc/attach/enabling_tpm_with_cctk_sce.pdf
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:llesane
ID: 39759437
Just to confirm once I do this; I will then activate the TPM and continue with initializing the TPM in the OS?
0
 

Author Comment

by:llesane
ID: 39760311
Just an FYI this still doesn't work for me. After activating the TPM again in the BIOS. Trying it without activating now.
0
 

Author Comment

by:llesane
ID: 39760351
error message

I am still getting this error message after using your resolution.
0
 
LVL 61

Expert Comment

by:btan
ID: 39760959
Likely, the TPM is locked out due to too many incorrect attempts at entering the owner authorization or other authorization values. The TPM will lock out for the entire time-out period and additional attempts at resetting the lock will fail. You need to have the TPM owner password so that you can reset the lockout. Pls see

http://trekker.net/archives/how-do-i-fix-the-tpm-is-defending-against-dictionary-attacks-and-is-in-a-time-out-period/

More details from MSDN (Reset the TPM Lockout)
http://technet.microsoft.com/en-us/library/dd851452.aspx

Btw, you may want to catch the CCTK in attached pdf (also in the prev post link)

PREREQUISITES
1. TPM must be present.
2. Trusted Platform Module (TPM) must not be currently owned
3. TPM must be in deactivated state
4. BIOS Administrator Password has to be set

Dell Client Configuration Toolkit (CCTK) is a command-line-driven utility that can be used to configure BIOS settings on OptiPlexTM, LatitudeTM, and Dell PrecisionTM systems. Using CCTK you can configure the BIOS administrator password and the TPM enumeration and TPM activation states in a Pre-OS and Post-OS environment. For step by step instructions, see the APPENDIX.

APPENDIX
CCTK command line step by step:
Setup BIOS password: cctk --setuppwd=<New-password>
TPM enable: cctk --tpm=on --valsetuppwd=<BIOS password>
TPM activate: cctk --tpmactivation=activate --valsetuppwd=<BIOS password>
TPM check: cctk --tpm --tpmactivation
TPM-Best-Practices.pdf
0
 

Author Comment

by:llesane
ID: 39761134
Thank you for that information but like I explained previously there is not an option to clear TPM in the action panel in windows.  It only allows me to initialize the TPM. But when I try it gives me the above error. How can I unlock the TPM from the lock out period? How long does the lock out period last? Could I decrypt and the encrypt the drive again? Would it be best to reimage the drive? Maybe I'll try the CCTK option you provided. Suggestions?
0
 
LVL 61

Expert Comment

by:btan
ID: 39761281
It is more of reset ("Reset TPM Lockout") than to clear ("Clear TPM") tpm from the TPM Management (tpm.msc) snap-in. So if it is really not seeing either one, I do suggest "Initialize TPM" steps to be reviewed.
http://technet.microsoft.com/en-us/library/cc753140.aspx

In all, the TPM should be in can be in one of the following states and we need it to be the last state to proceed to use bitlocker or in specific for the tpm actions. The owner password is to be set
-Unowned and turned off
-Unowned and turned on
-Owned but turned off
-Owned and turned on

For the TPM ownership status, this info is stored in below registry values. You may want to check out just to confirm state.
DWORD: OSManagedAuthLevel in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\TPM
e.g. 0-None, 2-Delegated, 4-Full

As for the lockout info, that varies from the manufacturer but the industry standards specify that the user is allowed at least one attempt to reset the TPM lockout by using the owner authorization value, even when the TPM is locked out. If the wrong value is used when attempting to reset the TPM lockout, on subsequent attempts to enter the owner authorization value, the TPM may respond as if the correct value is incorrect or respond that the TPM is locked out.

But there is actually Windows GPO defaults value to control the lockout parameters
-summary @ http://technet.microsoft.com/en-us/library/dn466535.aspx
-details of gpo @ http://technet.microsoft.com/en-us/library/jj679889.aspx

e.g. Standard User Lockout Duration  = default value of 480 minutes (8 hours) is used
( If the number of TPM commands with an authorization failure within the lockout duration equals a threshold, a standard user is prevented from sending commands that require authorization to the TPM.)

e.g. Standard User Individual Lockout Threshold = default value of 4 is used
( If the number of authorization failures for the user within the duration that is set for the Standard User Lockout Duration policy setting equals this value, the standard user is prevented from sending commands that require authorization to the Trusted Platform Module (TPM).)

e.g. Standard User Total Lockout Threshold = default value of 9 is used
(If the total number of authorization failures for all standard users within the duration that is set for the Standard User Lockout Duration policy equals this value, all standard users are prevented from sending commands that require authorization to the Trusted Platform Module (TPM).)

The CCTK is good but it go back to ownership and initialised state which the PDF also link back to Microsoft websites e.g.
http://technet.microsoft.com/en-us/library/cc749022(WS.10).aspx
0
 
LVL 61

Expert Comment

by:btan
ID: 39761284
Also Microsoft Technet also shared so it is advised to check back with the manufacturer of Your TPM and request support from manufacturer.

e.g. Most manufacturers use the PIN authentication failure count to exponentially increase lockout time to the PIN interface. However, each manufacturer has different policies regarding when and how the failure counter is decreased or reset.

There is Bitlocker's Manage-bde.exe which serve more like CLI
http://technet.microsoft.com/en-us/library/dd875513(v=ws.10).aspx

e.g. -autounlock - Syntax
manage-bde -autounlock {-enable | -disable | -ClearAllKeys} Volume [-ComputerName Name]

http://technet.microsoft.com/en-us/library/dd894351(WS.10).aspx
0
 

Accepted Solution

by:
llesane earned 0 total points
ID: 39763290
Thank you, I was able to de-crypt the drive then continue with manage-bde commands.
0
 
LVL 61

Expert Comment

by:btan
ID: 39763839
thanks for sharing
0
 

Author Closing Comment

by:llesane
ID: 39826053
None of the solutions got me to the point I needed.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Storage devices are generally used to save the data or sometime transfer the data from one computer system to another system. However, sometimes user accidentally erased their important data from the Storage devices. Users have to know how data reco…
The article will include the best Data Recovery Tools along with their Features, Capabilities, and their Download Links. Hope you’ll enjoy it and will choose the one as required by you.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now