Bitlocker "too many PIN entry attempts". Will it go away?

Not sure if i'm reading it correctly. According to this article if somehow TPM entered into "too many PIN entry attempts" when using full disk encryption, i'll be able to enter PIN again after 24 hours. Is that correct?

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd851452(v=ws.11)?redirectedfrom=MSDN

Lost recovery phrase but have PIN, but this s* somehow is displaying PIN entry window, but then says it was entered too many times after I provide correct PIN. Laptop dated back to 2018.


Solution 1:

For TPM 2.0 devices (which is what you'd get in a 2018 laptop), this seems to be the most up-to-date description.

For systems with TPM 2.0, the TPM is configured by Windows to lock after 32 authorization failures and to forget one authorization failure every two hours. This means that a user could quickly attempt to use a key with the wrong authorization value 32 times. For each of the 32 attempts, the TPM records if the authorization value was correct or not. This inadvertently causes the TPM to enter a locked state after 32 failed attempts.

Attempts to use a key with an authorization value for the next two hours would not return success or failure; instead the response indicates that the TPM is locked. After two hours, one authorization failure is forgotten and the number of authorization failures remembered by the TPM drops to 31, so the TPM leaves the locked state and returns to normal operation. With the correct authorization value, keys could be used normally if no authorization failures occur during the next two hours. If a period of 64 hours elapses with no authorization failures, the TPM does not remember any authorization failures, and 32 failed attempts could occur again.

Windows 8 Certification does not require TPM 2.0 systems to forget about authorization failures when the system is fully powered off or when the system has hibernated. Windows does require that authorization failures are forgotten when the system is running normally, in a sleep mode, or in low power states other than off. If a Windows system with TPM 2.0 is locked, the TPM leaves lockout mode if the system is left on for two hours.

In short, you get one new attempt every 2 hours, so the message should go away at that point. (If it doesn't, try keeping the machine powered on, although it doesn't necessarily have to sit at the BitLocker PIN screen specifically.)

While waiting, check whether https://account.microsoft.com/devices/recoverykey has your recovery key stored.