How can I Clear a TPM module or Recover from Authorisation Lockout?

Scenario

TPM Modules can become locked when too many incorrect PIN attempts are made to access the information stored on the module. The number of failed attempts before lockout will vary depending on the TPM version (1.2 or 2.0) and in the case of TPM 2.0, the policies configured in the operating system.

If you have replaced the motherboard in your Bitlocker protected system and the new motherboard arrives with TPM provisioned, you may be locked out from TPM as you will likely not know the PIN, or you may not be able to re-provision the TPM for re-use.

When Locked Out

If you are locked out, you cannot enter the correct pin to remove the lockout. You then have three options:

When TPM is Unusable

When you can't take ownership of the TPM module or provision the TPM Module for use, follow these options:

Removing the Lockout

​​

Clearing the TPM

Use these methods:

Note: Bear in mind that this will delete the cryptographic information in the machine and you will lose the encrypted data, including any user data or documents stored on a Bitlocker protected drive.

Clearing the TPM can be done one of four ways, each of which increase in complexity. Always log on with local Administrative rights before using these instructions.

  1. Clearing the TPM Using the BIOS
  2. Clearing the TPM Using MMC
  3. Clearing the TPM Using the MMC after setting the Windows TPM Authorisation Level
  4. Clearing the TPM Using the MMC after Enabling Blocked TPM Commands

1. Clearing the TPM Using the BIOS

2. Clearing the TPM Using MMC

If your BIOS does not have the option to clear the TPM, then you will need to clear the TPM using Windows.

3. Clearing the TPM Using the MMC after setting the Windows TPM Authorisation Level

Attempting to clearing the TPM without making any other Windows changes first, as in Step 2., may not be successful. This is because some versions of Windows have safeguards to prevent the accidental erasure of cryptographic information.

The first change to make if Step 2. is not successful is to change the Windows TPM Delegation Level.

Note: In the above screenshot, the TPM is not reported as locked out. If you are unable to provision a new TPM, the TPM may be an indeterminate state where is it not locked, but cannot easily be cleared unless you use the additional instructions in Steps 3 or 4.

4. Clearing the TPM Using the MMC after Enabling Blocked TPM Commands

Windows by default blocks the use of some TPM commands to prevent abuse. If the instructions in Step 2 do not work, you may need to de-restrict the TPM commands that can be used.

Applies to:



Article ID: 671
Last updated: 12 Apr, 2017
Revision: 14
Stone Branded Products -> Laptops, Netbooks and Tablets -> Frequently Asked Questions (FAQ) -> How can I Clear a TPM module or Recover from Authorisation Lockout?
https://kb.stonegroup.co.uk/index.php?View=entry&EntryID=671