Registrations are now open. Join us today!
There is still a lot of work to do on the wiki yet! More information about editing can be found here.
Already have an account?

Microsoft KB Archive/926187

From BetaArchive Wiki

Article ID: 926187

Article Last Modified on 11/13/2006



APPLIES TO

  • Windows Vista Enterprise
  • Windows Vista Ultimate
  • Windows Vista Enterprise 64-bit edition



SYMPTOMS

You have a Windows Vista-based computer that is configured to use BitLocker Drive Encryption (BitLocker) together with Trusted Platform Module (TPM) security hardware. When you start the computer, you receive an error message that resembles the following:

The PIN has been entered incorrectly too many times.

The Trusted Platform Module (TPM) is temporarily locking out attempts to unseal TPM sealed keys. The more times the PIN is entered incorrectly the longer the lockout time will become.

It is not possible to predict when the lockout will be over. Please wait a few moments before attempting to reenter the PIN. Then ensure that you enter the correct PIN for this drive.

CAUSE

This issue occurs because of the "anti-hammering" functionality that is included in the computer's TPM device. The anti-hammering functionality prevents access to the computer's TPM device for some time.

RESOLUTION

To resolve this issue, use one of the following methods, as appropriate for your situation:

Method 1: Wait until the anti-hammering lockout period expires

If you repeatedly retry a personal identification number (PIN) in a short period of time, you may increase the TPM lockout period. Also, as long as the TPM is locked out, you may be unable to gain access to the computer even if you enter the correct PIN. Therefore, it is best to wait until the lockout period expires. Then, enter the correct PIN to gain access to the computer.

Method 2: Use the BitLocker Recovery Console to access the computer

  1. When you receive the error message that is mentioned in the "Symptoms" section, press ESC. You enter the BitLocker Recovery Console.
  2. Insert the flash device that contains the BitLocker recovery key when you are prompted to do this. If you do not have a flash device that contains the recovery key or if you have not configured a BitLocker recovery key, press ENTER. Then, type the BitLocker recovery password when you are prompted to do this.


Note If you do not have a BitLocker recovery password, you may be able to obtain this password from the Active Directory directory service. If you cannot obtain a recovery password and if you do not have a recovery key, you must use Method 1 or Method 3 to gain access to the computer.

Method 3: Reset the TPM lockout period

Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure, but they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements.

You can use the ResetAuthLockOut function in a script to reset the TPM lockout period. To run this script, use the Windows Vista DVD to start the computer into Windows Recovery (WinRE).

The following sample script illustrates how to use the ResetAuthLockOut function to reset the TPM lockout period. You must have the TPM owner password to use this method to reset the TPM lockout period.

Note The TPM owner password is configured when you first enable BitLocker on the computer. This password differs from the TPM PIN. In an enterprise environment, the system administrator may have the TPM owner password. If BitLocker is configured for use with Active Directory, the TPM owner password is backed up to Active Directory.

Warning If an incorrect password is provided to this function, the TPM device prevents this function from being used to reset the lockout period in later tries. In this scenario, you must wait until the TPM lockout period expires. Therefore, we recommend that you do not use this function to reset the TPM lockout period if you are not sure that you have the correct TPM owner password.

'Sample script to reset the TPM Auth Lockout period
'Usage: tpm_reset.vbs /p:password
'
'----- Microsoft Corporation ------'

'DieRC - Check the return code, exit the script on failure ''
' rc => return code from WMI function call '
Function DieRC(rc)
    If rc <> 0 Then
        WScript.Echo "Call failed : " & Hex(rc)
        WScript.Quit -1
    End If
End Function

sPassword = Wscript.Arguments.Named("p")
If IsEmpty(sPassword) Then
    WScript.Echo "/p:TpmOwnerPassword is a required argument.  You must use the TPM owner password to reset the lockout period."
    WScript.Echo "Usage: tpm_reset.vbs /p:OwnerPassword"
    WScript.Quit -1
End If

' Connect to the TPM Wmi provider using pktPrivacy
Set oTpmService = GetObject("winmgmts:{impersonationLevel=impersonate," _ 
                              &  "authenticationLevel=pktPrivacy}!\\" _
                              & "." _ 
                              & "\root\cimv2\security\microsofttpm")

'Attempt to retrieve only one tpm by requesting =@
'If no TPM exists, this call will end the script with an error
Set oTpm = oTpmService.Get("Win32_Tpm=@")

'Convert to OwnerAuth converts the specified password to a SHA1 hash
rc = oTPM.ConvertToOwnerAuth(sPassword,abOwnerAuthDigest)
DieRC rc

'ResetAuthLockOut will try to reset the lockout period
'By using the owner authentication digest
'If this call fails, the lockout cannot be reset again
rc = oTPM.ResetAuthLockOut(abOwnerAuthDigest)
DieRC rc

WScript.Echo "Tpm Authentication Lockout successfully reset"

Some TPM devices may not reset the lockout period after a successful logon. Instead, these devices may store unsuccessful lockout attempts. In this situation, you may receive the lockout error message if you enter one incorrect PIN. Also, the lockout period may last for increasingly longer times. In this situation, you can use the ResetAuthLockOut function in Windows to reset the lockout period.

MORE INFORMATION

The Trusted Computing Group (TCG) requires that TPM 1.2 devices have a built-in anti-hammering functionality. This functionality is designed to help prevent dictionary attacks. A dictionary attack is a scenario where a malicious user repeatedly tries different possible PIN combinations to gain access to the computer. The TCG provides the specifications for TPM hardware.

The particular anti-hammering specifications that each TPM device uses are specific to each hardware manufacturer. Many hardware manufacturers use an algorithm that increases the lockout period based on the number of incorrect access attempts. Because of these differences in the implementation of the anti-hammering functionality, we cannot determine the lockout period for a particular TPM device or for a particular scenario.

For more information about TPM or about the TCG, visit the following TCG Web site:

Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

For more information about how to configure drive encryption in Windows Vista, visit the following Microsoft Web sites:

Keywords: kbtshoot kbprb kbexpertiseinter KB926187