Configure automatically resetting TPM lockouts

This policy setting lets MBAM automatically reset TPM lockouts.

During normal policy enactment cycles, MBAM checks the TPM to determine whether it is in a lockout mode. MBAM contacts the MBAM services to retrieve the TPM password hash that is associated with the client machine. MBAM attempts to reset the TPM lockout counter only if the BitLocker Recovery Key for the OS volume has been disclosed by the MBAM services. MBAM checks if any TPM protectors enabled such as TPM or TPM and PIN before resetting the TPM lockout counter.

If you enable this policy setting, MBAM will attempt to automatically reset the TPM lockout counter on client machines if the TPM is in a lockout mode.

If you disable or do not configure this policy setting, MBAM will not attempt to automatically reset the TPM lockout counter.

Note: This policy setting has no effect on computers with TPM version 2.0 and above.

Note: For this policy setting to have an effect, the MBAM AgentService in IIS must be configured to allow the retrieval of TPM password hash.

Supported on: At least Windows 7

Registry HiveHKEY_LOCAL_MACHINE
Registry PathSOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement
Value NameTpmLockoutAutoReset
Value TypeREG_DWORD
Enabled Value1
Disabled Value0

bitlockermanagement.admx

Administrative Templates (Computers)

Administrative Templates (Users)