RESET TPM LOCKOUT

Similar Messages

• Account Lockout - Reset account lockout counter after

  Hi Expert,
  Would you know any disadvantages if we set the Account Lockout Policy - Reset account lockout counter after to longer value e.g. 24 hours or maximum of 99,999 minutes.?
  Regards,
  Jhun

  Hi Jhun,
  I agree with Jack that when we configure account lockout policy, both security and user experience should be considered and balanced.
  If we set the value of Reset account lockout counter after for too long,
  Users may make excessive Help Desk calls, in the meanwhile, if this value is set too short, the attacker would have more chances to crack the system.
  Therefore, administrators should take cautious when configuring policies, protecting organization’s network, and avoiding that un-related person having physical access to machines within organization.
  More information for you:
  Reset account lockout counter after
  http://technet.microsoft.com/en-us/library/hh994568.aspx
  Best Practice Active Directory Design for Managing Windows Networks
  http://technet.microsoft.com/en-us/library/bb727085.aspx
  Best Regards,
  Amy Wang

• TPM password not found in MBAM database

  There are other threads I have read through and did some troubleshooting, but still I´m stuck with this, how to get TPM password in MBAM database. Another question is, do I really need it? Isn´t recovery key enough?
  My situation is this:
  1. Computers are encrypted during Task Sequence and MBAM client is installed.
  2. During first logon MBAM client promts for PIN and encryption is complete.
  3. Bitlocker recovery key is found in MBAM Admin Web page, but not TPM password.
  What I tried to do:
  - There is no Group Policy for controling TPM password.
  - I´m member of MBAM Admin group and Helpdesk groups.
  - If I clear and initialize TPM from its mgmt console, there will not be any activity from MBAM client, and TPM password still does not go to DB
  - I have checked from SQL mgmt studio, that TPM hash is NULL
  - I tried to use TPM-EK vbs script before and after encryption, there is no effect.
  So how to get TPM password to DP? Specially I´m intresting in scenario where Computer is already encrypted.

  MBAM has to own the TPM to store the password. During a task sequence, follow the steps below. The steps assume pre-provisioning, but the concept is the same even if you don't use it.  If the machine is already encrypted and you want MBAM to store the
  password, you will have to clear the TPM and reboot. Note that this requires physical presence - someone will have to hit F1 in the preboot screen. See below for info on how to clear it via PowerShell.  The reason you want the TPM OwnerAuth password is
  that if a user types their PIN too many times in preboot, the TPM may put the machine into BitLocker Recovery and lock itself for some period of time (depends on manufacturer).  To unlock it faster after you have supplied the BitLocker Recovery Password
  and are in the OS, you have to go to tpm.msc and choose Reset TPM Lockout, supplying the TPM Owner Auth password.  If MBAM stores it, you can get this info from the Helpdesk portal.
  To configure MBAM to own the TPM and store OwnerAuth passwords
  On the client computer, open an elevated Windows PowerShell command prompt.
  Type the following Windows PowerShell commands:
  Command
  Description
  $tpm=get-wmiobject -class Win32_Tpm -namespace root\cimv2\security\microsofttpm
  Gets an instance of the TPM WMI class.
  $tpm.DisableAutoProvisioning()
  Disables TPM auto-provisioning.
  $tpm. SetPhysicalPresenceRequest(22)
  Clears the TPM.
  Restart the computer, and then confirm that you want to clear the TPM.
  For the task sequence to get MBAM to own it out of the box, do the following:
  Capture and      sysprep a WIM as you normally would.
  Mount the      captured WIM using
  dism /mount-wim /wimfile:C:\WimImages\Win7.wim
  /index:1 /mountdir:C:\AIKMount
  Load the WIM      registry -
  reg load
  HKLM\WimRegistry
  c:\AIKMount\windows\system32\config\system
  Open regedit      and browse to hklm\WimRegistry\system\controlset001\services\TPM\WMI and      add the two reg keys that
  Jim mentioned
  HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tpm\WMI: NoAutoProvision [REG_DWORD]
  HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tpm\WMI: NoDisableOwnerClear [REG_DWORD]
  Close regedit
  Unload the WIM      registry -
  reg unload HKLM\WimRegistry
  Commit changes      to the WIM and unmount -
  dism /unmount-wim /mountdir:C:\AIKMount
       /commit
  Went to MDT      2012 Update 1 and my deployment share.
  Edited the      ZTIBDE.wsf script in MDT to tell it not to take ownership of the TPM. 
  In that script, replace the TPMValidate      function with what I have below (I just commented out the SetTPMOwner      lines)
  Function TpmValidate ()
  Dim iRetVal, sCmd, sTpmOwnerPassword
  iRetVal = Success
  '// Set oTpm to valid instance
  iRetVal = GetTpmInstance()
  TestAndFail iRetVal, 6734, "Get TPM Instance"
  '// Set global booleans for TPM state. Error bubble handled by subs
  iRetVal    = GetTpmEnabled()
  TestAndFail iRetVal, 6735, "Check to see if TPM is enabled"
  iRetVal = GetTpmActivated()
  TestAndFail iRetVal, 6736, "Check to see if TPM is activated"
  iRetVal = GetTpmOwner()
  TestAndFail iRetVal, 6737, "Check to see if TPM is owned"
  iRetVal = GetTpmOwnershipAllowed()
  TestAndFail iRetVal, 6738, "Check to see if TPM Ownership is allowed"
  iRetVal = GetEndorsementKeyPairPresent()
  oLogging.CreateEntry "TpmEnabled: " & bTpmEnabled, LogTypeInfo
  oLogging.CreateEntry "TpmActivated: " & bTpmActivated, LogTypeInfo
  oLogging.CreateEntry "TpmOwned: " & bTpmOwned, LogTypeInfo
  oLogging.CreateEntry "TpmOwnershipAllowed: " & bTpmOwnershipAllowed, LogTypeInfo
  oLogging.CreateEntry "EndorsementKeyPairPresent: " & bEndorsementKeyPairPresent, LogTypeInfo
  '// Single instance check to allow future corrective action branching.
  TestAndFail bTPMEnabled, 6739, "Check to see if TPM is enabled"
  TestAndFail bTPMActivated, 6740, "Check to see if TPM is activated"
  TestAndFail bTpmOwned or bTpmOwnershipAllowed , 6741, "Check to see if TPM is owned and ownership is allowed"
  If bTpmOwned <> True AND bTpmOwnershipAllowed = True Then
  If oEnvironment.Item("TpmOwnerPassword") <> "" Then
  oLogging.CreateEntry "TPM Ownership being intiated.", LogTypeInfo
  'iRetVal = SetTpmOwner(oEnvironment.Item("TpmOwnerPassword"))
  TestAndFail iRetVal, 6741, "TPM Owner Password set"
  ElseIf oEnvironment.Item("AdminPassword") <> "" Then
  oLogging.CreateEntry "TPM Ownership being intiated with AdminP@ssword (not TPMOwnerP@ssword).", LogTypeInfo
  'iRetVal = SetTpmOwner(oEnvironment.Item("AdminPassword"))
  TestAndFail iRetVal, 6742, "TPM Owner P@ssword set to AdminP@ssword"
  Else
  oLogging.CreateEntry "TPM Ownership being intiated with Default p@ssword (not TPMOwnerP@ssword).", LogTypeInfo
  'iRetVal = SetTpmOwner("M0nksH00d!4T3al")
  TestAndFail iRetVal, 6743, "Set TPM Owner P@ssword to value"
  End If
  End If
  TpmValidate = Success
  End Function
  Grab the      StartMBAMEncryption.wsf script from
  here
  and edit out those same lines as above.
  Added the      following files to an MDT application.      
  Set the app to run cscript.exe startmbamencryption.wsf      /MBAMServiceEndPoint:http://<yourmbamserver>/MBAMRecoveryAndHardwareService/CoreService.svc
  Added the MBAM      agent installer as an application
  Added the MBAM      agent to the task sequence
  Added the Start      MBAM Encryption app to the task sequence
  Set      OSDBitLockerMode=TPM and IsBDE=True in customsettings.ini
  Made sure this was a bare metal machine where the TPM was clear (for testing, you can clear it from the BIOS, just make sure it is activated).
  Ran the TS on      the box.
  Result:
  BitLocker was pre-provisioned and activated, and MBAM took ownership of the TPM which escrowed the OwnerAuth info to MBAM.

• Bitlocker requests recovery key every time

  I have a T440s. The motherboard died and was replaced by Lenovo. I had Bitlocker drive encryption enabled. Now, ever time I reboot, I am required to enter the Bitlocker Recovery Key. I can't figure out how to fix this so I don't have to type it every time!
  I've tried, to no avail:
  1) In BitLocker Manager, I clicked on  "Suspend Protection" and then  "Resume Protection". When I reboot, I get prompted for recovery key again.
  2) In BitLocker Manager, I clicked on  "Suspend Protection", rebooted and wasn't asked for the Recovery Key. But, on subsequent reboots, I am asked for recovery key. I read that Protection is automatically enabled (after Suspend) on next boot.
  3) Ran this commands at elevated command prompt:
  Manage-bde -protectors -delete C: -type TPM
  and I get this error msg:
  Volume C: []
  Key Protectors of Type TPM
  ERROR: No key protectors found.
  I've googled quite a bit and can't figure out what else try, short of decrypting the drive and reencrypting it.
  Thank you!

  I have Win 8.1.  Yeah, I checked via tpm.msc and it looks like TPM is activated:
  Status: "The TPM is ready for use."
  And under TPM Manufacturer Info, it says Manf Name: TPM, Manf Version: 13.12, Specification Version: 1.2. 
  And in the Actions on right pane, "Prepare the TPM" is greyed out. And these actions are available: Turn TPM Off, Change Owner Password, Clear TPM, and Reset TPM Lockout.
  I've been wondering about turning TPM off and on. Would that screw things up?

• Bitlocker with TPM and PIN testing?

  Good day all,
  We are about to deploy 10 Surface Pro 3's running Windows 8.1 Enterprise x64. We have enabled the TPM, enabled "Allow Enhanced PINS for Startup", "Pre-boot Keyboard" and turned on Bitlocker through the gui which recommended setting
  a PIN which I did.
  Everything seems to work as it should, how can I be convinced TPM and PIN are working together? I seem to be able to punch into Bitlocker many bad passwords without warning or asking me to reboot which is does for all other laptops without tpm.
  1. How many bad password attempts do I get with TPM by default before lockout?
  2. Where is my *.tpm recovery key?
  3. Why when the TPM locks out can I still gain entry by typing in the Bitlocker PIN (not recovery password)
  4. I want TPM to lockout after 5 incorrect attempts.
  To test the TPM working I disabled the TPM in the BIOS and on next reboot Bitlocker asked for the Recovery Password which to me proves Bitlocker private encryption keys are safely held in the TPM. Is this safe to presume TPM is working?
  here is the output from manage-bde and get-tpm status
     Size:                 59.11 GB
      BitLocker Version:    2.0
      Conversion Status:    Fully Encrypted
      Percentage Encrypted: 100.0%
      Encryption Method:    AES 128
      Protection Status:    Protection On
      Lock Status:          Unlocked
      Identification Field: Unknown
      Key Protectors:
          TPM And PIN
          Numerical Password
  TpmPresent          : True
  TpmReady            : True
  ManufacturerId      : 1229346816
  ManufacturerVersion : 5.0
  ManagedAuthLevel    : Full
  OwnerAuth           : u2uAKH0Sr+d98s+oGXLLU8DHUuc=
  OwnerClearDisabled  : True
  AutoProvisioning    : Enabled
  LockedOut           : False
  SelfTest            : {}

  Hi Paddy,
  "1. How many bad password attempts do I get with TPM by default before lockout?"
  It depends on the the TPM chips.
  "Some TPM chips may not store failed attempts over time. Other TPM chips may store every failed attempt indefinitely. Therefore, some users may experience increasingly longer delays when they mistype an authorization value that is sent to the TPM"
  "4.I want TPM to lockout after 5 incorrect attempts."
  We can set the group policy "Standard User Individual Lockout Threshold " in this path (Check the detailed information of this policy):
  Computer Configuration\Administrative Templates\System\Trusted Platform Module Services\
  Here is a link for reference("About TPM lockout" part and "Use Group Policy to manage TPM lockout settings"part ):
  Manage TPM Lockout
  https://technet.microsoft.com/en-us/library/dn466535.aspx
  "2. Where is my *.tpm recovery key?"
  When we set owner of the TPM ,we will be given a chance to save the TPM passowrd .
  And when the BitLocker recovery key is saved to a file, BitLocker also saves a TPM owner password file (.tpm) with the TPM owner password hash value.We also can save them to the AD (Check the group policy in the same path as before). Have you tried to save
  the recovery keys to a external media ?
  Here are links for reference:
  Reset the TPM Lockout (Check the first part)
  https://technet.microsoft.com/en-us/library/dd851452.aspx?f=255&MSPPError=-2147217396
  Windows Trusted Platform Module Management Step-by-Step Guide(Check "Step 2: Set ownership of the TPM" part )
  https://technet.microsoft.com/pt-pt/library/cc749022%28WS.10%29.aspx?f=255&MSPPError=-2147217396
  "3. Why when the TPM locks out can I still gain entry by typing in the Bitlocker PIN (not recovery password)"
  When the TPM is locked out, it is also possible that the user will enter the correct PIN, but the TPM will respond as if the incorrect PIN was entered for a period of time.
  Check the "When should I reset the TPM lockout" part .
  Reset the TPM Lockout
  https://technet.microsoft.com/en-us/library/dd851452.aspx?f=255&MSPPError=-2147217396
  " Is this safe to presume TPM is working?"
  From the output of the command line ,we can get the information that the TPM is working .It is not recommended to disable the TPM when the data is encrypted with TPM .
  Best regards

• Resetting Protector Failed

  Hello,
  New to this Forum.  
  One of my user tried entering bit locker pin wrongly and made a mistake of re-entering the pin again and again.  Now when, I try to reset the pin getting following error.
  RESETTING YOUR PROTECTOR FAILED FOR AN UNKNOWN REASON.  PLEASE TRY THE ACTION AGAIN.
  I tried to do the same from command prompt - but here, I get different error message
  The command, I used was manage-bde -changepin c:
  The error - THE TPM IS DEFENDING AGAINST DICTIONARY ATTACKS AND IS IN A TIME OUT PERIOD.
  I tried to reset TPM Reset Lockout from TPM.MSC - Unsuccessful as, I do not have the OWNER PASSWORD.
  Is there a way to reset the pin and get it working?  Appreciate your help.
  Thanks
  Lan

  Run Manage-Bde -protectors -Delete C:
  Reboot the machine.
  Run Manage-bde -protectors -Add C: -TPMAndPIN.
  This should allow you to change the PIN.

• Exchange lockouts

  After setting up two users with the new iphone 3g, thier exchange accounts are getting locked out. I have called our IT vendor, but they are a little slow getting out.
  1st user had no issues with original phone, that went back to apple with a screen related problem. He used a loaner phone from our AT&T rep for a week with no issues. I set up his new phone today (apple sent a new one) - it would no validate his account info untill I changed his password in the active directory. Now his account is locking out, and the iphone wont sync anymore.
  2nd user immediatly had problems. Account vaildates, then locks her out of exchange account. her phone was set up last week - it recieves email with no problems, but her outlook on her desktop is constantly asking for her password.
  I have 4 other users with new 3g phones who are reporting no issues... 15 or so users with Samson Blackjacks that work flawlessly.
  Is anyone else having exchange lockout issues after setting up new iphones?

  Just one more person posting here to state that this is a HUGE issue for our organization.  We have hundreds of ActiveSync users, and any time someone changes their Active Directory password I can almost guarantee their cell phone will lock them out.
   Last time I did the math, approximately 75% of our account lockouts were caused by Exchange ActiveSync.
  This amounts to a self-inflicted DOS attack because the ActiveSync protocol is severely flawed as far as I can tell.  Why should the phone continue bombarding the server with authentication requests with a known bad password?  Shouldn't it just
  STOP until the user updates the password in the phone?
  Kapil, to answer your questions:
  1) Default Domain Policy\Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies/Password Policy:
  Account lockout duration: 0 minutes
  Account lockout threshold: 10 invalid logon attempts
  Reset account lockout counter after: 30 minutes
  2) Get-ActiveSyncMailboxPolicy reveals that our MaxDevicePasswordFailedAttempts is set to 8.  However, as others have pointed out already, this value is irrelevant.  It refers to the mobile device's password to access the device itself, not for
  the Exchange password used by ActiveSync.

• Account lockout duration

  Our Default Domain Policy GPO (linked at the domain level), has the following settings configured:
  Account lockout duration: 60 minutes
  Account lockout threshold: 3 invalid login attempts
  Reset account lockout coutner after: 30 minutes
  Using both RSOP in Group Policy Management and GPRESULT on the local machine, I can see that the above policy is applied.
  However, when a user account is locked out, it is not automatically unlocked after 60 minutes.
  Thoughts?

  Hi,
                                        Heres a short list of things
  you should check if youre encountering trouble with your Password Policy settings (they dont get applied).
                                         # 1 Is your Password Policy
  linked at the domain level?
                                        Have you linked it to the domain?
  If not, you should. The Password Policy is only effective if its linked to the domain level. On OU level, the settings you specify in the policy will target the local machines user accounts and their passwords. Not the AD accounts people log on with.
  The password settings dont need to be made in the Default Domain Policy. It can be any policy that you create. See # 2.
  # 2 Are there multiple policies at the domain level that implement Password Policies?
                                        This is pretty similar to the Highlander.
  There can only be one. One Password Policy. So - when there are multiple policies that implement password settings, the one applied last gets active. What that means is that you need to make sure that your password policy is linked at the top of
  the list of policies for the domain level. You can see that in GPMC. The policies linked to the domain have a specific order and they get applied from the bottom up. Logic says that the policy at the first position is applied last - so that should be the policy
  your password settings are in.
  # 3 Make sure policy inheritance isnt blocked at the Domain Controllers OU
                                        When inheritance is blocked at the
  Domain Controllers OU, the password policy cannot be applied and the old policy will stick at the DCs. That would result in the fact that they wont check for the new complexity.
  Regards, Koustov Choudhury

• Unlocked Virtual Smart Card using the PUK and Adminkey

  At my company we use virtual
  smart card with WIN8.1
  and some user has blocked you from failed attempts
  by the VSC. The question is
  whether there is a tool that allows unlocked
  the virtual smart card using
  the PUK or Adminkey password? The error
  that occurs to me is the following:
  “The security device cannot process the PIN.
  The PIN has been blocked temporarity because too many incorrect PINs have been entered, Try again later. If this message reoccurs, contact your administrator to reset the lockout
  period for this security device”

  Hi dtencio,
  It`s unreasonable to use PUK or Admin key instead of PIN ,because
  the VSC uses two-factor authentication and this guarantees the pc`security.
  To get more information, here is link for reference:
  Evaluate Virtual Smart Card Security
  http://technet.microsoft.com/en-us/library/dn579257.aspx
  When PIN is blocked or the TPM is in a lockout state, we recommend you to contact with your administrator to reset user PIN or reset lockout of TPM.
  If you are tired of the frequent blocked or locked out issue, we recommend you to contact with your administrator to change the lockout time in policy.
  Best regards 

• Stuck in restore because of error

  I bought an IPOD 8gig used.
  I wanted to wipe the other users information and downloads from the IPOD.
  I did a system restore home sleep key hold and placed the IPOD into restore mode.[to format]
  I had connected and downloaded ITUNES from the most obivious link.
  after words the pc chrashed while in restore mode. [ suht down in the middle of it]
  when i tried to complete the restore the program cept restoring to the download in a cache tempory location which made it imposable to redownload the update.
  error 1604 unknown.
  ok so i continue to try for 2 days to get this thing out of restore and get the software needed to reset it to factory.
  no disks its a ipod touch.
  it completly crupted my computer resulting in an image restoration.
  guess why?
  the driver installed that my pc was trying to use was a windows 7 driver..
  I'm running windows xp sp3
  clean install of ITUNES
  reading more slowly i noticed a linlk to itunes 10 download at the bottem of the obivius download link page.
  which took me to a detail page for the itunes 10.6...blka bla bla download
  at the bottem of the left column on the page is a very small JVA link to get itunes for windows.
  I clicked and downloaded and am now getting the 3 gig software for my IPOD Touch.
  system restore before you installed itunes and get the download from there

  Jumped the gun this did not work same result.
  error1604.
  using ipod on a new computer.
  thinking maybe something to do with the 5 computer limitation?
  trying to download  from another source other then itunes support.
  There really is no help for this at all no explanation or anything....
  I dont understand how these things even sell ?
  It had the software on it and was working the battery was fully charged before attempting to restore the firmware.
  I have DSL and have downloaded the firmware twice from itunes .
  itunes sees my ipod touch but can not use it untill it is restored.
  so the usb should be fine.... right?
  also wondering if i open the ipod up and remove and reinstall the battery if it wont reset a lockout ?
  this really kinda ***** ***.

• DS 6 - passwordRetryCount and Account Unlock

  Previously, we used to remove the passwordRetryCount attribute in DS 5.2 to unlock an account that had been locked by exceeding the password retry limit.
  I'm not seeing DS 6 work in the same fashion. Is there a way to programatically 'unlock' a locked account?

  If you need to programatically lock and
  unlock accounts, perhaps you can use the
  nsAccountLock attribute, which is intended forthat
  purpose.The original post was regarding the act of unlocking
  an account after the DSA has locked it due to
  excessive password retry errors. The DSA uses the
  operational attributes rather than the nsAccountLock
  attribute and the only way for an "administrator" to
  unlock the account without altering the old
  passwordRetryCount attribute or deleting the newer
  operational attributes is to change the password.
  If your users don't mind having their password reset
  every time they fat finger that 12
  alphanumeric+special character password 3 times in a
  row that they're required to come up with every 90
  days ( and they're not allowed to use their previous
  ten passwords ) then that's obviously the way to go.Could you increase passwordMaxFailure to a value large enough that you can be fairly sure that the user really has forgotten the password? Since the intention of the auth-failure-lockout policy is to thwart dictionary attacks, a passwordMaxFailure value of 6 or even 10 would not weaken the policy.
  Also don't forget the a**holes running around who
  just love to intentionally enter another user's
  password wrong just to make their day. That is one of the purposes of the auth-failure-lockout timeout. You can set passwordUnlock:on and passwordLockoutDuration to some value like 600 (10 minutes), again without significantly reducing protection against dictionary attacks. You might want to look at enabling passwordResetFailureCount, also, although I'm not sure what value it offers in this scenario.
  >
  Naturally, these anal retentive password polices
  don't exist for everyone's environment but some of us
  are forced to endure them.Obviously, you are pretty familiar with Directory Server administration. Can you convince whomever sets the security policy for your organization that allowing an adminstrator to manually reset the lockout is not any more secure than tuning the Directory Server policy to automatically handle it?
  On a related note, if you want to monitor dictionary attack attempts by scanning the access log, we made some changes in Directory Server 6 so that the "additional information" returned to the client is now written in the log. So you could periodically look for the string "Exceed password retry limit. Account locked." in the access log. I'm not sure if logconv has been updated to help with this search.

• Lenovo has different F8 screen, can't get to safe mode with command prompt - account locked out

  Thinkpad W500, Win7Pro.  Can't login: "the referenced account is currently locked out and may not be logged on to". I need to boot to safe mode with command prompt to enable the Administrator account (disabled by default) with a "net user administrator /active:yes" command, but Lenova has their own recovery and interfaces which are preventing me from accessing with normal windows techniques. I either need to be able to get a command prompt on the true C: drive, or reset this lockout situation, and fast...  Waiting more than 180 minutes did not work, and using system restore is not an option-key software patches and additions make this very unattractive, and I know how to do that. 
  Optional Information:
  Computer OS: Windows 7
  Browser: IE
  Already Tried:
  -ThinkVantage button (reg and advanced views) -a boot disk for pwd reset program (I know password, but I am locked out - didn't help) -F8, Repair options and all safe modes -NOT system restore, as we are trying to not undo months of software revisions - we just need to login!

  If we take the error messages seriously, then probably the first thing that you would have to do would be to replace the malformed library:
  /System/Library/Frameworks/Security.framework/Versions/A/Security
  If you have another computer with the same operating system, you could connect via target disk mode and copy over the good library to replace the bad one. I don't know if this library is different between 10.2.6 and 10.2.8. If the library were fixed, that might solve your other problems and it might not. There is no way for us to know.
  Alternatively, you could do an archive and install.

• ERROR - the ProtectKeyWithTPMAndPIN Method failed with the exit code: 8031005B

  Hello
  I am using the EnableBitlocker.vbs script to automatically assign the TPM and start the encryption. I am running it from an elevated command prompt. Here is are the arguments I am running with
  cscript EnableBitLocker.vbs /on:tp
  /l:c:\bitlockerlog.log /promptuser /ro:"MBAM" on
  All is well and it prompts the user for a PIN but then it fails.
  Here is the full log file. I haven't been able to find any info on the error code in the subject.
  Script processing started  02/07/2014       14:43:27
  Proper number of command line arguments passed to the script
  ---------------Executing with the following arguments------------------
  Enable parameters: tp
  Logging location: c:\bitlockerlog.log
  Create recovery key: No recovery key use specified
  Encryption method: 3
  Create SMS status MIF's: No SMS status MIF's will be created
  Reset TPM ownership: 1
  User prompting: 1
  Connection succeeded to MicrosoftTPM
  Successfully retrieved a TPM instance from the Win32_TPM provider class
  TPM found in the following state:
  Enabled - True
  Activated - True
  Owned - True
  Connection succeeded to MicrosoftVolumeEncryption
  TPM is in a ready state to enable BitLocker.
  Change TPM owner password specified on the command line.
  Random TPM owner password is: ;&K:)BU65|c7_v2n
  Completed converting old owner password to owner authorization:  0
  Completed converting owner password to owner authorization:  0
  Starting to change owner authorization process on the TPM
  ERROR - Failed to change owner authorization on the TPM with the following exit code:  80280001
  Successfully connected to WMI StdRegProv
  Checking if Group Policy encryption method is set...
  Found EncryptionMethod with value: 4
  Found EncryptionMethod policy registry key ignoring any /em options on command line
  Found ActiveDirectoryBackup with value: 1
  Found RequireActiveDirectoryBackup with value: 1
  Determined client Group Policy configured to require AD escrow of recovery password
  EncryptableVolumes count is: 1
  The EncryptableVolume(s) found: \\?\Volume{ad6db324-01dd-11e4-8272-806e6f6e6963}\
  EncryptableVolume used for encryption is: C:
  The volume has a protection status of: 0
  BitLocker Protection is Off
  Get conversion status is: 0
  The volume has a status of fully decrypted
  The following user is logged on: MGMT\80151318-sys
  Attempting to enable BitLocker TPM + Pin
  ERROR - the ProtectKeyWithTPMAndPIN Method failed with the exit code:  8031005B
  Script ended  02/07/2014       14:43:51
  Any and all help would be appreciated. This has worked before on a different laptop.
  Thanks

  Hi,
  This error indicates that the group policy isn't set correctly, when configure the group policy at teh server side, you should notice that only one of the additional authentication can be required at start up , otherwise a policy occurs, the notice can be
  found just like below:
  and after test, the error indeed occurs, just like the screen below:
  So, I suggest to check the group policy for bitlocker settings, you can only choose one start up authentication method.
  Regards
  Wade Liu
  TechNet Community Support

• Event 4776 Error Code: 0xC0000234 but account not actually locked out

  I am coming across several instances where a user will get the error code 0xC0000234 for event 4776 and Failure Reason: Account Locked Out for event 4625 but the account never actually locks out. I cannot find a corresponding event 644 (windows 2003) or
  4740 (Server 2008 and up) on any of our AD servers.
  Any idea why this would register as an account being locked out, but not actually lock the account out?
  Thanks!

  Hi,
  Sounds a little weird to me.
  Would you please check the account lockout policy, and post out the configured value for
  Account lockout duration,
  Account lockout threshold and Reset account lockout counter after?
  More information for you:
  Account Policy Settings
  http://technet.microsoft.com/en-us/library/cc757692(v=WS.10).aspx
  If the Account lockout duration and Reset account lockout counter after settings are set too low, the account will be unlocked very quickly after it’s locked.
  Best Regards,
  Amy

• Ipod touch had to be reset because of 20 million minute lockout.  how do i get my music and apps back on there

  My son had a 20 million minute lockout on his itouch.  It was reset at the apple store and he has lost all his music and apps.  They are on the itunes account, but I am having trouble synching his itouch to download.
  I am certain this is user error on my part, but am not sure what I am doing wrong.  Help?

  See the following.  Note that musicis not available a free redownload in all countries.
  Downloading past purchases from the App Store, iBookstore, and iTunes Store