Article ID: 671
Last updated: 12 Apr, 2017
ScenarioTPM Modules can become locked when too many incorrect PIN attempts are made to access the information stored on the module. The number of failed attempts before lockout will vary depending on the TPM version (1.2 or 2.0) and in the case of TPM 2.0, the policies configured in the operating system.
If you have replaced the motherboard in your Bitlocker protected system and the new motherboard arrives with TPM provisioned, you may be locked out from TPM as you will likely not know the PIN, or you may not be able to re-provision the TPM for re-use. When Locked OutIf you are locked out, you cannot enter the correct pin to remove the lockout. You then have three options:
When TPM is UnusableWhen you can't take ownership of the TPM module or provision the TPM Module for use, follow these options:
Removing the Lockout
Clearing the TPMUse these methods:
Note: Bear in mind that this will delete the cryptographic information in the machine and you will lose the encrypted data, including any user data or documents stored on a Bitlocker protected drive.
Clearing the TPM can be done one of four ways, each of which increase in complexity. Always log on with local Administrative rights before using these instructions.
1. Clearing the TPM Using the BIOS
If your BIOS does not have the option to clear the TPM, then you will need to clear the TPM using Windows.
3. Clearing the TPM Using the MMC after setting the Windows TPM Authorisation Level Attempting to clearing the TPM without making any other Windows changes first, as in Step 2., may not be successful. This is because some versions of Windows have safeguards to prevent the accidental erasure of cryptographic information. The first change to make if Step 2. is not successful is to change the Windows TPM Delegation Level.
Note: In the above screenshot, the TPM is not reported as locked out. If you are unable to provision a new TPM, the TPM may be an indeterminate state where is it not locked, but cannot easily be cleared unless you use the additional instructions in Steps 3 or 4.
4. Clearing the TPM Using the MMC after Enabling Blocked TPM Commands Windows by default blocks the use of some TPM commands to prevent abuse. If the instructions in Step 2 do not work, you may need to de-restrict the TPM commands that can be used.
Applies to:
This article was:
Article ID: 671
Last updated: 12 Apr, 2017
Revision: 14
Views: 37679
Posted: 11 Apr, 2017 by
Andrew Sharrad
Updated: 12 Apr, 2017 by
Andrew Sharrad
Also read
Also listed in
Third Party Products -> Desktop Operating Systems (Windows etc.) -> Frequently Asked Questions (FAQ)
|