TPM Owner File

posted Jul 8, 2015, 5:13 PM 

The reporting of the particular system was all green / all good.

 
The event logs did not show any errors.  1 / 3 / 19 are what u want to see.

However if you requested the TPM Owner Password due to a PIN Lockout / ETC from the MBAM DB; you might hear the following response.

A check of the DB would reveal

Unfortunately there is not any type of notification regarding a success or failure of the TPM Owner Password (hash) delivery.  

So what’s an IT guy or gal to do?  Well, believe it or not u could actually do nothing and be OK.  How is that possible u may ask? Well for one the TPM Owner Password (hash) is not the ultimate gate keeper in a lockout scenario.  The Recovery Key is.  Regardless of either one of the 2 scenarios mentioned at the beginning of this article; the Recovery Key is delivered and updated.  In a TPM driven recovery situation, u simply enter the Recovery Key to bypass.  

I decided to check with MS and verify what I had read elsewhere in the community when conducting this research.

TPM password will only be required while TPM is locked out.  In case you don’t have TPM password, you can use Recovery password to login in the machine and access the data.

 You will not able to manage TPM remotely while don’t have TPM password. There is no end user impact if you don’t have TPM information saved.

How does TPM lockout work (pulled from Lenovo)?

One of the core security features of the TPM is to prevent “hammering,” that is, the attempt to guess TPM passwords in an automated way. Each TPM implements an anti-hammering method, and when an attack is detected, the TPM enters lockout mode which means that further password guesses are ignored until the lockout mode ends. However, the Trusted Computing Group (the organization that defines TPM behavior) failed to define a standard for TPM lockout, so each TPM manufacturer has developed its own implementation for lockout. 

Below is a list if TPM vendor information for Dell / Lenovo however I would bet these rules are similar with other PC vendors.

Atmel TPM:

• No lockout during the first 15 bad password attempts

• The 16th bad password attempt results in a lockout period of 1.1 minutes

• Then, no lockout during the next 15 bad password attempts

• The next lockout period is 2.2 minutes

• Each lockout period doubles, after each batch of 15 bad password attempts, up to a maximum lockout

period of 4.7 hours

• Lockout is reset if the computer is turned off

Intel TPM:

• No lockout during the first 100 bad password attempts

• The 101st bad password attempt results in a lockout period of 16 seconds

• Each subsequent bad password attempt results in a lockout period twice as long as the previous lockout

  period, without a maximum lockout period

• The bad password counter decreases by one each hour, until it decreases to zero

ST Micro TPM:

• No lockout during the first 40 bad password attempts

• The 41st bad password attempt results in a lockout period of three seconds

• Each subsequent bad password attempt results in a lockout period twice as long as the previous lockout

  period, with a maximum lockout period of two hours

Winbond TPM:

• The first bad password attempt results in a lockout period of 0.25 millisecond

• Each subsequent bad password attempt results in a lockout period twice as long as the previous lockout

  period, with a maximum lockout period of 14 hours

  Note: It takes 13 bad attempts to reach a lockout period of one second.

• After 24 hours, the bad password counter is reset to zero

So how do we prevent this from happening again?

1. Do not install Bitlocker manually.  Follow the MBAM process (MBAM Installation & Recovery).  If it doesn't work open a ticket.  Do not install Bitlocker.

2. Pre-Provisioning has been disabled in the DEV task sequence (which everyone is using).  This will be moved to the Production task sequence soon.  The encryption process will start upon first Administrative / Console Login.  

Last but no least, if u have a recurring problem with a user and a TPM constantly being locked out; collect all of the details.  Maybe there is a legitimate reason (TPM Reset).  Most of the time however it would appear to be a PIN has been forgotten.  

In the event that you would like to have MBAM maintain the TPM hash follow these instructions:

Open an elevated CMD prompt and disable protection as shown below and type - manage-bde -protectors -disable c:

From the same command prompt, start the decryption process - manage-bde -off c:

To check the status, simply type - manage-bde -status

When the Decryption process has completed, choose from either Dell or Lenovo below.

For Dell

Restart into the BIOS.  Navigate to the Security node.  Select Clear / Apply.

Select Yes / Apply / Exit.  This will cause a Restart. 

At the W7 OS Login Screen, select Restart and again return to the BIOS.

Upon returning to the BIOS, select Activate and Apply.  Click Exit to Restart into the W7 OS.

Login to Windows 7 as an Administrator and from the Console (physically present).  Navigate to the following path and launch MBAM-RO.exe as an Administrator (sometimes a few minutes are required).

In some cases u may see the following screens.  If so just follow the instructions.

Doing so will trigger the following screen.  Click Start.

Assign your PIN.

Encryption should start.

When completed, you should see the following:

For Lenovo

Shut Down the computer.

Turn on the computer and press F1 to enter BIOS Setup Utility.

Select the Security tab.

Press Enter and select Clear Security Chip.

Press Enter and select Yes to Clear Encryption Keys. F10 Save and Exit.

Reboot into the BIOS and verify the Security Chip is = Active.  F10 Save and Exit.

Login to Windows 7 as an Administrator and from the Console (physically present).  Navigate to the following path and launch MBAM-RO.exe as an Administrator (sometimes a few minutes are required).

Doing so will trigger the following screen.  Click Start.

Assign your PIN.

Encryption should start.

When completed, you should see the following: