I've learned in this answer that starting with Windows 10 v1607, Windows will not allow to set, save or change the TPM owner password by default. So the option to reset a TPM lockout by entering the owner password does not appear to exist anymore.
The alternative is to clear the TPM. The following scenario:
- BitLocker enabled with TPM + PIN
- wrong PIN entered >256 times over some time
- now TPM never allowes more than one PIN attempt before entering into lockout for several minutes
- during TPM lockout, recovery key can be used to access system
Is it safe to clear the TPM to reset the counter of wrong PIN attempts? Will the BitLocker encrypted data be lost? The warning screen sounds serious (below).
As mentioned, the recovery key is available. However, I want to avoid having to enter it every time I boot the computer.
Best Answer
tl;dr:
Only if you have the BitLocker recovery key. If you clear the TPM, the encrypted drive will only be accessible using the recovery key.
So in your case it should be ok to clear the TPM chip. Afterwards, reboot and enter the recovery key. Once inside Windows, you can re-enable the TPM chip and set a new PIN.
Longer explanation:
BitLocker usually (see below for exception) uses the computer's TPM chip to store the key required for decrypting the boot drive. If the TPM chip is cleared, this key is lost (for ever). In that case, the only way to decrypt the drive is to use the BitLocker recovery key - it exists specifically for cases like this.
In practice, if you boot from a drive encrypted with BitLocker, and Windows finds it cannot retrieve the keys from the TPM chip, it will prompt you for the recovery key. You will get an ugly black & white screen asking for the key. If you enter the right key, Windows will boot normally. If you cannot enter the key - bad luck.
For more information about how BitLocker works, also see this question on serverfault.com: TPM had to be reintialized: Does a new recovery password have to be uploaded to AD?
Note:
It is possible to use BitLocker without TPM, though the option needs to be enabled first. In that case, clearing the TPM will not make a difference. However, it looks like you are using BitLocker with TMP, so this does not apply in your case.