This policy setting lets MBAM automatically reset TPM lockouts.
During normal policy enactment cycles, MBAM checks the TPM to determine whether it is in a lockout mode. MBAM contacts the MBAM services to retrieve the TPM password hash that is associated with the client machine. MBAM attempts to reset the TPM lockout counter only if the BitLocker Recovery Key for the OS volume has been disclosed by the MBAM services. MBAM checks if any TPM protectors enabled such as TPM or TPM and PIN before resetting the TPM lockout counter.
If you enable this policy setting, MBAM will attempt to automatically reset the TPM lockout counter on client machines if the TPM is in a lockout mode.
If you disable or do not configure this policy setting, MBAM will not attempt to automatically reset the TPM lockout counter.
Note: This policy setting has no effect on computers with TPM version 2.0 and above.
Note: For this policy setting to have an effect, the MBAM AgentService in IIS must be configured to allow the retrieval of TPM password hash.
Registry Hive | HKEY_LOCAL_MACHINE |
Registry Path | SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement |
Value Name | TpmLockoutAutoReset |
Value Type | REG_DWORD |
Enabled Value | 1 |
Disabled Value | 0 |