Windows 10 IoT enterprise with Security GPOs, TPM 1.2, BitLocker and UWF enabled

D, Garfield 1 Reputation point
2021-03-22T01:17:49.027+00:00

Hello,

Looking to understand the interactions between Windows 10 that is security hardened with a TPM 1.2, BitLocker and UWF enabled:

  1. The TPM is enabled, owned and has a recovery key created.
  2. BitLocker is enabled and protecting the entire volume C.
  3. GPOs are applied (to name specific ones)
    Interactive logon: Machine account lockout threshold: set to 3
    (understood that values 1 to 3 are interpreted by 4 by Windows)
    Account lockout threshold: set to 3
  4. Windows 10 install is UEFI with Secure Boot enabled.
  5. BitLocker will use PCRs #7 and #11 (when in UEFI mode).
  6. UWF is enabled and protecting volume C.
    Note: There is no domain controller present in the scenario.

When the user logs in, after the first 2 incorrect logon attempts they will get the warning about failed password attempts. After the 4th failed attempt Windows will warn the user the reference account is locked out.

My understanding is that interactive login will invalidate the TPM after 4 tries based on the GPO, but leave the recovery key alone.

UWF basically makes the system forget anything that happened prior, however, it appears like the TPM is aware of what is going on (most likely updating PCRs).

So, if the user reboots the system, Windows should forget what has transpired. However, if you power cycle, you don't have 3 more tries, but after 2 attempts BitLocker springs into action.

Is the GPO making a programmatic call to the TPM Base Service API to revoke the attestation?

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,981 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Teemo Tang 11,436 Reputation points
    2021-03-22T06:42:15.353+00:00

    “My understanding is that interactive login will invalidate the TPM after 4 tries based on the GPO, but leave the recovery key alone.”
    Yes, your understanding is correct.
    This GPO is a setting to use when you have sensitive data stored on workstations/laptops which are using TPM only for BitLocker. If you lose a laptop which is only protected by TPM then it is possible to attempt to brute force the account on the CTRL-ALT-DEL screen. With this setting in place after 4 attempts you can no longer even boot to logon screen without a BitLocker recovery key. This is why it is part of the BitLocker baseline.
    About Unified Write Filter (UWF) feature, it doesn’t have something to do with BitLocker, will not influence BitLocker’s behavior and policy settings.

    Interactive logon: Machine account lockout threshold
    https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold

    -------------------------------------------------------------------------------------

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.