Windows 10: Bitlocker Lockout

How do I retrieve 32 digit bitlocker key without access to computer and no previous printouts?

:)

 

BitLocker on Surface Pro 3 not working correctly

Hi JulianSchubert,

Thank you for posting your question in the Microsoft Community

TPM will lock itself out after a few incorrect authentication attempts. These could be due to incorrect PIN entry for BitLocker or incorrect PIN entry for TPM virtual smartcard PIN. For TPM version 1.2, the lockout behavior depends
on individual TPM manufacturer. For TPM 2.0, the specification states that the TPM will enter lockout after 32 incorrect attempts.

To terminate this BitLocker recovery loop, you need to suspend BitLocker within WinRE, I suggest you to follow the below steps.

Step 1:

1. Choose the “Skip this drive” link at the bottom of the page where you are asked to enter the recovery key. You should be presented with a menu that will let you get to a command prompt (The sequence is Advanced
   options -> Troubleshoot -> Advanced options -> Command prompt).
   
2. Once you have a command prompt,
   use the following command to check the BitLocker status of the C: drive:
   manage-bde -status c:
   
3. If the status is returned as locked, you’ll need to use the following command to unlock it using your recovery password:
   manage-bde -unlock c: -rp <your 48-digit recovery password>
   
4. Once the drive is unlocked you'll need to use the following command to suspend protection:
   manage-bde -protectors -disable c:
   
5. Then exit and reboot. The computer should now successfully boot Windows. Once there, use the BitLocker control panel to resume BitLocker protection.
   
6. You can reset TPM lockout using
   tpm.msc
   

Note: The recovery loop can occur for other reasons such as cases where TPM is disabled or malfunctions. You can still use the above steps to suspend BitLocker and boot Windows in such cases

Hope it helps.

 

Windows 10 BitLocker and TPM lockout

Hi,

I have hit an issue with BitLocker which uses TPM on a Windows 10 laptop.

In the past you were able to take ownership of the TPM and export the key/password. The current version of Win10 no longer allows this. This would all be fine if you no longer needed the key. Unfortunately on this laptop the TPM has now got itself in a locked
state after too many failed logins by the user. We were eventually able to login with the BitLocker recovery key after it rejected it initially. However because Windows retains ownership we do not have the TPM key and therefore we cannot do the reset.

I have trawled various TechNet articles and cannot see how we are supposed to resolve this. Does the TPM automatically clear the lockout itself after a period of time?

I have suspended BitLocker on that computer. It looks like I cannot resume it until the TPM lockout has ended.

Isn't this an oversight on how we are supposed to be able to resolve issues?

Thanks!

Stephen.

 

Win10 Bitlocker and Interactive logon: Machine account lockout?


There is a Bitlocker PIN (Which you enter in to the Blue Screen), then there is a separate password for your Windows account. The local security policy setting "Interactive Logon: Machine Account Lockout Threshold" is specifically for use in conjuction with Bitlocker encrypted systems. If you have this policy set, it prevents Brute-Force Logon in to Windows. You must first enter your Bitlocker PIN (If set), then you must also log in to Windows. If you use the wrong password too many times on your Windows account, that local security policy will cause the system to go in to Bitlocker Recovery Mode.