Forum Discussion

Bear31Fr's avatar
Bear31Fr
Copper Contributor
Jul 27, 2024

Bitlocker setup the max attemps before need the recovery code

I'm trying to configure Bitlocker with GPO for Windows 11 H2 workstations.

My need : after 4 wrong PIN code entered, the user must enter the recovery code.

 

I've tried these GPO, without success :

 

Computer Configuration > Administrative Templates > System > Trusted Platform Module Services

  • Standard User Individual Lockout Threshold : Enabled
  • Maximum number of authorization failures per duration = 4
  • Standard User Total Lockout Threshold : Enabled
  • Maximum number of authorization failures per duration = 4

Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drivers

  • Allow enhanced PINs for startup : Enable
  • Configure minimum PIN length for startup : Enabled
  • Minimum charcaters = 8

Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options

  • Interactive logon: Machine account lockout threshold = 4

With PowerShell :

Get-Tpm

  • LockoutHealTime = 10 minutes
  • LockoutMax = 31

 

Clear-Tpm

  • LockoutHealTime = 2 hours
  • LockoutMax = 10

 

I dont understand why the TPM value (lockoutMax) is 31. I want it equals 4. Where I'm wrong?

 

Thanks in advance

configuration
security

2 Replies

Sort By
  • Nguyenais's avatar
    Nguyenais
    Iron Contributor
    Jul 30, 2024
    By default, BitLocker allows a maximum of 32 attempts to enter the correct PIN or password before requiring the recovery key. After these 32 attempts, the system will lock out further attempts and prompt for the recovery key to unlock the drive. Users can configure this threshold using Group Policy settings to a lower number of attempts if needed
    • Bear31Fr's avatar
      Bear31Fr
      Copper Contributor
      Jul 30, 2024

      NguyenaisThanks for your message.

       

      As mentioned previously, I already tried the rules dedicated to the TPM :

       

      Computer Configuration > Administrative Templates > System > Trusted Platform Module Services

      • Standard User Individual Lockout Threshold : Enabled
      • Maximum number of authorization failures per duration = 4
      • Standard User Total Lockout Threshold : Enabled
      • Maximum number of authorization failures per duration = 4

       

      Can you tell me which GPO rules should i use?

Resources