Looking to understand the interactions between Windows 10 that is security hardened with a TPM 1.2, BitLocker and UWF enabled:
1. The TPM is enabled, owned and has a recovery key created.
2. BitLocker is enabled and protecting the entire volume C.
3. GPOs are applied (to name specific ones)
Interactive logon: Machine account lockout threshold: set to 3
(understood that values 1 to 3 are interpreted by 4 by Windows)
Account lockout threshold: set to 3
4. Windows 10 install is UEFI with Secure Boot enabled.
5. BitLocker will use PCRs #7 and #11 (when in UEFI mode).
6. UWF is enabled and protecting volume C.
Note: There is no domain controller present in the scenario.
When the user logs in, after the first 2 incorrect logon attempts they will get the warning about failed password attempts. After the 4th failed attempt Windows will warn the user the reference account is locked out.
My understanding is that interactive login will invalidate the TPM after 4 tries based on the GPO, but leave the recovery key alone.
UWF basically makes the system forget anything that happened prior, however, it appears like the TPM is aware of what is going on (most likely updating PCRs).
So, if the user reboots the system, Windows should forget what has transpired. However, if you power cycle, you don't have 3 more tries, but after 2 attempts BitLocker springs into action.
Is the GPO making a programmatic call to the TPM Base Service API to revoke the attestation?