Share via

Virtual Smart Card lock

M Eugeney 1 Reputation point
2020-09-11T09:54:46.16+00:00

Hello. Our company uses Windows authorization and some other services using a virtual smart card. The problem is that the virtual smart card is blocked after 5 incorrect PIN entries. It is the smart card that is blocked, not the TPM. Tell me, is it possible to somehow increase the number of incorrect attempts to enter or unlock a smart card after a certain period of time? I know about unblocking with the PUK and PIN of the administrator. We have a domain infrastructure (Win Server 2019 + Win 10 Pro 2004)

Windows for business | Windows Client for IT Pros | User experience | Other
0 comments

6 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Teemo Tang 11,466 Reputation points
    2020-09-14T06:59:01.687+00:00

    Can’t find a way to increase the number of attempt, reset TPM lockout or clear TPM with TPM management is normal method
    The TPM has built in anti-hammering technology. Which essentially means that the TPM will lock itself out when invalid data is presented a number of times over a certain time threshold. If you are using a Virtual Smart Card, a number of invalid PIN entries can cause a TPM to lockout. The number of failed attempts and the time threshold are controlled with the following Group Policy settings: Standard user Lockout Duration, Standard User Individual Lockout Threshold, and Standard User Total Lockout Threshold.
    Reset TPM Lockout
    https://learn.microsoft.com/en-us/archive/blogs/xdot509/microsoft-devices-security-virtual-smart-cards-part-1-introduction-and-trusted-platform-module-updated-11262014#reset-tpm-lockout

    -------------------------------------------------------------------------------------

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.
    0 comments
  2. Teemo Tang 11,466 Reputation points
    2020-09-15T02:12:27.783+00:00

    Yes, your thought is correct.
    LockedOut. Whether a TPM is locked out.
    LockoutHealTime. The time that has to pass until you can unlock the TPM.
    LockoutCount. Number of failed attempts.
    LockoutMax. Limit of failed attempts.
    OwnerClearDisabled. Whether TPM can be reset. If this value is True, the TPM cannot be reset through the operating system by using the owner authorization value. If this value is False, the TPM can be reset through the operating system.
    More information here:
    Evaluate Virtual Smart Card Security
    https://learn.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security

    1 person found this answer helpful.
    0 comments
  3. Teemo Tang 11,466 Reputation points
    2020-09-16T08:21:32.573+00:00

    You are welcome
    I remember a GPO controls the number of failed sign-in attempts that will cause a user account to be locked, you can have a try.
    Click on Run and type gpedit.msc.The Local Group Policy Editor window appears.
    Navigate to Computer Configuration\Windows Settings\Security Settings\Account Policies
    Under Account Policies select Account Lockout Policy.
    On the right pane double click on Account Lockout Threshold and specify the number of login attempts.
    After that you will be asked to confirm the suggested values of Account Lockout Duration and Reset Account Lockout counter.The suggested values cannot be changed and the default is 30 minutes.(You will have to bare with this as this is the Microsoft Default Security Policy Setting.)
    Next click on OK or Apply to apply the changes made.

    1 person found this answer helpful.
    0 comments
  4. M Eugeney 1 Reputation point
    2020-09-14T10:17:21.87+00:00

    TeemoTang-MSFT, thank you for your answer.

    if I enter 5 incorrect PIN codes, the virtual smart card is blocked. The TPM module remains unlocked.

    Output Get-tpm command:

    TpmPresent : True
    TpmReady : True
    TpmEnabled : True
    TpmActivated : True
    TpmOwned : True
    RestartPending : True
    ManufacturerId : 1398033696
    ManufacturerIdTxt : STM
    ManufacturerVersion : 74.8.17568.5511
    ManufacturerVersionFull20 : 74.8.17568.5511
    ManagedAuthLevel : Full
    OwnerAuth :
    OwnerClearDisabled : False
    AutoProvisioning : Enabled
    LockedOut : False
    LockoutHealTime : 10 minutes
    LockoutCount : 5
    LockoutMax : 31
    SelfTest : {}

    I think that it is the virtual smart card that is blocked, and not the TPM module. Am I wrong?
    Thank you.

    0 comments
  5. M Eugeney 1 Reputation point
    2020-09-15T06:32:28.46+00:00

    Thank you for your help, TeemoTang-MSFT
    Unfortunately, I did not find a solution to my problem by following the link.
    Thus, after 5 incorrect attempts to enter, it is the virtual smart card that is blocked(not TPM). Is there a way to increase the number of invalid PIN attempts?

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.