Windows-itpro-docs: "After too many incorrect guesses, the device is locked."
How many times is too many?
After a device is locked, what options do Intune/MDM admins have to "unlock" it?
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: c34dbafa-df3c-a5a5-32d5-2ce152893534
- Version Independent ID: cebdd9a6-45d7-6306-373c-7d31121f9e16
- Content: Why a PIN is better than a password (Windows 10) - Microsoft 365 Security
- Content Source: windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
- Product: w10
- Technology: windows
- GitHub Login: @mapalko
- Microsoft Alias: mapalko
icelava
All 2 comments
If the key is generated in a TPM2.0, the hardware anti-hammering behavior of the TPM allows 32 PIN attempts before locking out. Once the TPM locks out, there is a cool down period of 10 minutes before another attempt can be made. The OS will allow 5 attempts before forcing the user to reboot to allow more attempts.
TPM1.2 behavior is manufacturer specific.
If a TPM is locked out it can be reset by an admin, but this will destroy all of the keys protected by the TPM. For more information about TPM lockout behavior see https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/manage-tpm-lockout
mapalko
on 16 Apr 2020
Tested this with VM.
- After 4 attempts - passphrase challenge
- After 5 attempts - require OS restart
- After 9 attempts - passphrase challenge after 30 secs
- After 10 attempts - require OS restart
- After 14 attempts - passphrase challenge after 1 min
- After 15 attempts - require OS restart
- After 19 attempts - passphrase challenge after 2 mins
- After 20 attempts - require OS restart
- After 24 attempts - passphrase challenge after 5 mins
- After 25 attempts - require OS restart
- After 29 attempts - passphrase challenge after 10 mins
- After 30 attempts - require OS restart
- After 32 attempts - PIN locked down for 2 hrs contiguous powered on.
icelava
on 20 Apr 2020
Related issues
jadelise
·
3Comments
ATR-Master
·
3Comments
SwiftOnSecurity
·
3Comments
michalzobec
·
3Comments
andrewpong
·
3Comments
Most helpful comment
If the key is generated in a TPM2.0, the hardware anti-hammering behavior of the TPM allows 32 PIN attempts before locking out. Once the TPM locks out, there is a cool down period of 10 minutes before another attempt can be made. The OS will allow 5 attempts before forcing the user to reboot to allow more attempts.
TPM1.2 behavior is manufacturer specific.
If a TPM is locked out it can be reset by an admin, but this will destroy all of the keys protected by the TPM. For more information about TPM lockout behavior see https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/manage-tpm-lockout