ResetAuthLockOut method of the Win32_Tpm class

The ResetAuthLockOut method of the Win32_Tpm class resets the time-out period or other mechanism that TPM manufacturers implement to protect against dictionary attacks on TPM authorization values. In a dictionary attack, an attacker tries to guess a correct TPM authorization value by exhaustively attempting all possible values.

Use this method if the TPM is locked out due to too many incorrect attempts at entering the owner authorization or other authorization values. When the TPM is locked out, some or all commands issued to the TPM will return an error, TPM_E_DEFEND_LOCK_RUNNING (0x80280803).

Note  This method can only be used exactly once when the TPM is locked out. If the owner authorization provided to this method is incorrect, the TPM will lock out for the entire time-out period and additional attempts at resetting the lock will fail.

Syntax


uint32 ResetAuthLockOut(
  [in, optional]  string OwnerAuth
);

Parameters

OwnerAuth [in, optional]

Type: string

A string that identifies the TPM owner.

This string must be a base64-encoded null-terminated string that contains exactly 20 bytes of binary data. Use the ConvertToOwnerAuth method to translate a passphrase to this expected format. The OwnerAuth parameter is read from the registry if none is provided.

Return value

Type: uint32

All TPM errors as well as errors specific to TPM Base Services can be returned. The following table lists some of the common return values.

Return code/valueDescription
S_OK
0 (0x0)

The method was successful.

TPM_E_AUTHFAIL
2150105089 (0x80280001)

The provided owner authorization value is incorrect. Additional attempts at resetting the lock will fail with this same error. Please wait until the time-out period or other manufacturer-specific mechanism has expired before retrying locked TPM commands.

 

Remarks

This method calls the TPM_ResetLockValue command on the TPM. The exact behavior of this method varies among TPM manufacturers. Documentation from the computer or TPM manufacturer may provide additional information on the implementation of the anti-dictionary attack mechanism.

In general, manufacturers can detect dictionary attacks by keeping track of failed authentications. If the number or frequency of failures become high enough, the TPM will lock out further commands for a certain time. Generally, the initial time-out period will be short, to allow a legitimate user a chance to correct the situation. If failures continue, the duration of each subsequent time-out period may increase rapidly.

Managed Object Format (MOF) files contain the definitions for Windows Management Instrumentation (WMI) classes. MOF files are not installed as part of the Windows SDK. They are installed on the server when you add the associated role by using the Server Manager. For more information about MOF files, see Managed Object Format (MOF).

Requirements

Minimum supported client

Windows Vista [desktop apps only]

Minimum supported server

Windows Server 2008 [desktop apps only]

Namespace

\\.\root\CIMV2\Security\MicrosoftTpm

MOF

Win32_tpm.mof

DLL

Win32_tpm.dll

See also

Win32_Tpm

 

 

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.