windows-itpro-docs
windows-itpro-docs copied to clipboard
Name for TPM 2.0 lockout authorization value is not as described
Under Configure the level of TPM owner authorization information available to the operating system
, the page states that the name for lockout authorization value under TPM 1.2 is OwnerAuthFull
, while under TPM 2.0 it's LockoutAuth
. However on Windows 10 20H2 and Windows 11 with TPM 2.0, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TPM\WMI\Admin\
only has OwnerAuthFull
.
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 3492cc23-3415-c41e-f68a-7e648a522c3e
- Version Independent ID: 1299343a-f7ee-af5b-5e2c-9bc68d370426
- Content: TPM Group Policy settings (Windows) - Windows security
- Content Source: windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
- Product: m365-security
- GitHub Login: @Dansimp
- Microsoft Alias: dansimp
Hello @wmjdgla , don't you have "LockoutHash" there? this value contains base 64 encoded LockoutAuth. I have it on 1909
Thank you
Hi @MaratMussabekov,
Yep I have LockoutHash
, however using LockoutHash
to change the lockout authorization failed, but using OwnerAuthFull
succeeded.
Strangely, after updating my 20H2 machine in the past few weeks, OwnerAuthFull
is now gone. The key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TPM\WMI\Admin
now just contains
LastAuthLevel
LockoutHash
OwnerAuthStatus
SRKPub
StorageOwnerAuth
Using LockoutHash
to change lockout authorization still failed. So after the update, I now have no way to change lockout authorization.
Meanwhile my Windows 11 machine that hasn't been updated still has OwnerAuthFull
along with all the values in 20H2. Just to be sure, I reset the TPM again to generate new LockoutHash
and OwnerAuthFull
values, and then tried to change lockout authorization again. The results remain the same - LockoutHash
failed while OwnerAuthFull
succeeded.
@e0i Just to clarify, this is not a question.
If the name of the lockout authorization value is LockoutHash
, then the article is still erroneous because it uses LockoutAuth
, not LockoutHash
. If the correction was to use the term LockoutHash
, then article would still be erroneous because my tests showed that the value of LockoutHash
is not lockout authorization; instead lockout authorization is stored in OwnerAuthFull
. However the article states that OwnerAuthFull
applies only to TPM 1.2, but I'm using TPM 2.0 here.
And now that OwnerAuthFull
has been removed with the recent Windows update on my 20H2 TPM 2.0 machine, it means that lockout authorization is no longer stored on the machine, again contradicting the article.
Hello, yes, I tried and can confirm that LockoutHash doesn't allow to reset TPM lockout. Among registry values expected for TPM 2.0, only EndorsementAuth is presented in registry. Dear @Dansimp, can it be checked with a production team? Thank you