windows-itpro-docs icon indicating copy to clipboard operation
windows-itpro-docs copied to clipboard

Published 20 hours ago verified publisher icon MicrosoftDocs

Name for TPM 2.0 lockout authorization value is not as described

Open wmjdgla opened this issue 2 years ago • 4 comments

Under Configure the level of TPM owner authorization information available to the operating system, the page states that the name for lockout authorization value under TPM 1.2 is OwnerAuthFull, while under TPM 2.0 it's LockoutAuth. However on Windows 10 20H2 and Windows 11 with TPM 2.0, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TPM\WMI\Admin\ only has OwnerAuthFull.

Document Details

Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

wmjdgla avatar Dec 15 '21 10:12 wmjdgla

Hello @wmjdgla , don't you have "LockoutHash" there? this value contains base 64 encoded LockoutAuth. I have it on 1909

Thank you

MaratMussabekov avatar Jan 03 '22 11:01 MaratMussabekov

Hi @MaratMussabekov, Yep I have LockoutHash, however using LockoutHash to change the lockout authorization failed, but using OwnerAuthFull succeeded. Strangely, after updating my 20H2 machine in the past few weeks, OwnerAuthFull is now gone. The key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TPM\WMI\Admin now just contains LastAuthLevel LockoutHash OwnerAuthStatus SRKPub StorageOwnerAuth Using LockoutHash to change lockout authorization still failed. So after the update, I now have no way to change lockout authorization. Meanwhile my Windows 11 machine that hasn't been updated still has OwnerAuthFull along with all the values in 20H2. Just to be sure, I reset the TPM again to generate new LockoutHash and OwnerAuthFull values, and then tried to change lockout authorization again. The results remain the same - LockoutHash failed while OwnerAuthFull succeeded.

wmjdgla avatar Jan 04 '22 03:01 wmjdgla

@e0i Just to clarify, this is not a question. If the name of the lockout authorization value is LockoutHash, then the article is still erroneous because it uses LockoutAuth, not LockoutHash. If the correction was to use the term LockoutHash, then article would still be erroneous because my tests showed that the value of LockoutHash is not lockout authorization; instead lockout authorization is stored in OwnerAuthFull. However the article states that OwnerAuthFull applies only to TPM 1.2, but I'm using TPM 2.0 here.

And now that OwnerAuthFull has been removed with the recent Windows update on my 20H2 TPM 2.0 machine, it means that lockout authorization is no longer stored on the machine, again contradicting the article.

wmjdgla avatar Jan 05 '22 04:01 wmjdgla

Hello, yes, I tried and can confirm that LockoutHash doesn't allow to reset TPM lockout. Among registry values expected for TPM 2.0, only EndorsementAuth is presented in registry. Dear @Dansimp, can it be checked with a production team? Thank you

MaratMussabekov avatar Jan 20 '22 09:01 MaratMussabekov