RESOLUTION

To resolve this issue, use one of the following methods, as appropriate for your situation:

Method 1: Wait until the anti-hammering lockout period expires

If you repeatedly retry a personal identification number (PIN) in a short period of time, you may increase the TPM lockout period. Also, as long as the TPM is locked out, you may be unable to gain access to the computer even if you enter the correct PIN. Therefore, it is best to wait until the lockout period expires. Then, enter the correct PIN to gain access to the computer.

Method 2: Use the BitLocker Recovery Console to access the computer

1. When you receive the error message that is mentioned in the "Symptoms" section, press ESC. You enter the BitLocker Recovery Console.
2. Insert the flash device that contains the BitLocker recovery key when you are prompted to do this. If you do not have a flash device that contains the recovery key or if you have not configured a BitLocker recovery key, press ENTER. Then, type the BitLocker recovery password when you are prompted to do this.
   

Note If you do not have a BitLocker recovery password, you may be able to obtain this password from the Active Directory directory service. If you cannot obtain a recovery password and if you do not have a recovery key, you must use Method 1 or Method 3 to gain access to the computer.

Method 3: Reset the TPM lockout period

Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure, but they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements.

You can use the ResetAuthLockOut function in a script to reset the TPM lockout period. To run this script, use the Windows Vista DVD to start the computer into Windows Recovery (WinRE).

The following sample script illustrates how to use the ResetAuthLockOut function to reset the TPM lockout period. You must have the TPM owner password to use this method to reset the TPM lockout period.

Note The TPM owner password is configured when you first enable BitLocker on the computer. This password differs from the TPM PIN. In an enterprise environment, the system administrator may have the TPM owner password. If BitLocker is configured for use with Active Directory, the TPM owner password is backed up to Active Directory.

Warning If an incorrect password is provided to this function, the TPM device prevents this function from being used to reset the lockout period in later tries. In this scenario, you must wait until the TPM lockout period expires. Therefore, we recommend that you do not use this function to reset the TPM lockout period if you are not sure that you have the correct TPM owner password.

'Sample script to reset the TPM Auth Lockout period
'Usage: tpm_reset.vbs /p:password
'
'----- Microsoft Corporation ------'

'DieRC - Check the return code, exit the script on failure ''
' rc => return code from WMI function call '
Function DieRC(rc)
    If rc <> 0 Then
        WScript.Echo "Call failed : " & Hex(rc)
        WScript.Quit -1
    End If
End Function

sPassword = Wscript.Arguments.Named("p")
If IsEmpty(sPassword) Then
    WScript.Echo "/p:TpmOwnerPassword is a required argument.  You must use the TPM owner password to reset the lockout period."
    WScript.Echo "Usage: tpm_reset.vbs /p:OwnerPassword"
    WScript.Quit -1
End If

' Connect to the TPM Wmi provider using pktPrivacy
Set oTpmService = GetObject("winmgmts:{impersonationLevel=impersonate," _ 
                              &  "authenticationLevel=pktPrivacy}!\\" _
                              & "." _ 
                              & "\root\cimv2\security\microsofttpm")

'Attempt to retrieve only one tpm by requesting =@
'If no TPM exists, this call will end the script with an error
Set oTpm = oTpmService.Get("Win32_Tpm=@")

'Convert to OwnerAuth converts the specified password to a SHA1 hash
rc = oTPM.ConvertToOwnerAuth(sPassword,abOwnerAuthDigest)
DieRC rc

'ResetAuthLockOut will try to reset the lockout period
'By using the owner authentication digest
'If this call fails, the lockout cannot be reset again
rc = oTPM.ResetAuthLockOut(abOwnerAuthDigest)
DieRC rc

WScript.Echo "Tpm Authentication Lockout successfully reset"

Some TPM devices may not reset the lockout period after a successful logon. Instead, these devices may store unsuccessful lockout attempts. In this situation, you may receive the lockout error message if you enter one incorrect PIN. Also, the lockout period may last for increasingly longer times. In this situation, you can use the ResetAuthLockOut function in Windows to reset the lockout period.