“My understanding is that interactive login will invalidate the TPM after 4 tries based on the GPO, but leave the recovery key alone.”
Yes, your understanding is correct.
This GPO is a setting to use when you have sensitive data stored on workstations/laptops which are using TPM only for BitLocker. If you lose a laptop which is only protected by TPM then it is possible to attempt to brute force the account on the CTRL-ALT-DEL screen. With this setting in place after 4 attempts you can no longer even boot to logon screen without a BitLocker recovery key. This is why it is part of the BitLocker baseline.
About Unified Write Filter (UWF) feature, it doesn’t have something to do with BitLocker, will not influence BitLocker’s behavior and policy settings.
Interactive logon: Machine account lockout threshold
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold
-------------------------------------------------------------------------------------
If the Answer is helpful, please click "Accept Answer" and upvote it.
Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.