Bitlocker pin problems

We have several Windows 8.1Pro laptops that we have setup with full drive encryption using Bitlocker that is included in the O/S. All of the pc's have two users, an administrator and a standard user. Policy editor was used to prevent standard users from changing the pin. One of these machines is having problems with the pin. This shouldn't be a changed pin as she doesn't have access to the admin account. A few days ago I tried to log in myself with the correct pin and it would not allow the pin and then it did. Both times the pin was correct (insert allows the typed pin to be viewed). Yesterday I used the recovery key to access the system. I reset the pin and saved it to a file on my usb drive. I rebooted a few times to verify that it worked. This morning we are back to the same problem. Incorrect pin. Help!
jbcbussoftAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Some very similar though may not be exact to your use case but it suggested due to anti-hammering logic in TPM that varies by supplier and went to rest the TPM lockout via policy and also into extent of rest TPM again. See
This issue occurs because of the "anti-hammering" functionality that is included in the computer's TPM device. The anti-hammering functionality prevents access to the computer's TPM device for some time.

If you repeatedly retry a personal identification number (PIN) in a short period of time, you may increase the TPM lockout period. Also, as long as the TPM is locked out, you may be unable to gain access to the computer even if you enter the correct PIN. Therefore, it is best to wait until the lockout period expires. Then, enter the correct PIN to gain access to the computer.
https://social.technet.microsoft.com/Forums/en-US/d0527321-5a73-4506-b71d-832a52658a79/windows-8-and-81-bitlocker-too-many-pin-attempts-after-one-false-pin-entry?forum=w81previtpro

another one but have not identify root cause though it is manual wait that "resolve" it
the solution to this issue was to log on using the recovery key and leave the machine up and running until the lock cleared and then left it on for an additional 24 hours.  It doesn't make much sense to me, but since doing this, we have not had any issues with TPM lockouts on this machine.
http://www.experts-exchange.com/Hardware/Embedded_Hardware/Q_28156193.html#a39285403
0
McKnifeCommented:
If the PIN was indeed changed, you'd see an eventlog entry:
"The PIN was updated for the operating system volume."
EventID 777
Log: Applications and Services - Microsoft - Bitlocker-API - Management.
0
jbcbussoftAuthor Commented:
btan I will look into this.

McKnife I will check the logs.
0
Cloud Class® Course: Microsoft Windows 7 Basic

This introductory course to Windows 7 environment will teach you about working with the Windows operating system. You will learn about basic functions including start menu; the desktop; managing files, folders, and libraries.

btanExec ConsultantCommented:
btw, only win2012 and Win8/8.1 supports in policy for Standard User Lockout Duration, Standard User Individual Lockout Threshold and Standard User Total Lockout Threshold https://technet.microsoft.com/en-us/library/58a88c36-df44-45d9-953f-a0bef9e7ae40#BKMK_version_table
0
jbcbussoftAuthor Commented:
It is a Windows 8.1 pro machine but I did not set lockouts.
0
btanExec ConsultantCommented:
check out their default no.. too and reset lockout
0
McKnifeCommented:
Re-reading your question. When you pressed insert and the correct PIN was there and only on the second try it worked, then it's just a (horrible) bug, what else! Our whole network is bitlocked and I have seen incredible things, amongst them systems that were not encrypted that insisted they were and other systems with c: and d: encrypted that reported "c: is, d: isn't" when doing a manage-bde -status.
Then I went "ok, let's do manage-bde -on d:" and got answered "not possible, d: is already encrypted"!

So as with any software, there are bugs. Luckily, I have never seen a recovery key not work :)

You cannot do anything about it. At that preboot stage, no diagnostics are possible. When it opens up a few seconds after a correct-PIN-attempt that was dismissed, that is no lockout problem, without a doubt.

Maybe the best would be to take an image of the system, wipe the hard drive, replay that image and re-encrypt (and cross fingers).
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
I also see the re-do the bitlocker instead since it is likely the troubleshooting can remains uncertain like those posting I shared earlier. Dong such device encryption should be done unique in each machine and not clone over machine to machine since it is bind to each machine's TPM. We do it the hard way for all domain machine centrally managed. But do note this
By default, passwords must be eight characters in length. Complexity configuration options determine how important domain connectivity is for the client. For the strongest password security, administrators should choose Require password complexity because it requires domain connectivity, and it requires that the BitLocker password meets the same password complexity requirements as domain sign-in passwords.
it stated connectivity req when set to Require complexity. I am not alluding the connectivity is the culprit but it is uncertain on its state of connectivity for the machine, so may also check if this is enabled... https://technet.microsoft.com/en-us/library/jj679890.aspx#BKMK_ospw
0
jbcbussoftAuthor Commented:
Sorry for the delay in getting back to the question. I think a reload may be just what this machine needs. Thanks for the suggestions.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Encryption

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.