Reference Guide
Manage Policies
168
BCD Settings
Exclude specific Boot Configuration settings.
To use this policy, Use Enhanced Boot Configuration Data Profile must be
set to Enabled.
Configure TPM
Platform Validation
Profile
Not Selected
Selected
Not Selected
Set to Selected to enable boot up TPM drive unlocking for Windows 7 and
Windows Server 2008 R2. Selected allows the configuration of how the
TPM security hardware secures the BitLocker encryption key. This policy
does not apply if the computer does not have a compatible TPM or if
BitLocker has already been turned on with TPM protection.
This policy must be set to S
elected to use the policy Configure Specific TPM
Platform Settings.
See http://technet.microsoft.com/en-
us/library/jj679890.aspx#BKMK_depopt3 for more information.
Configure Specific
TPM Platform
Settings
PCR0,on
PCR1,off
PCR2,on
PCR3,off
PCR4,on
PCR5,on
PCR6,off
PCR7,off
PCR8,on
PCR9,on
PCR10,on
PCR11,on
PCR12,off
PCR13,off
PCR14,off
PCR15,off
PCR16,off
PCR17,off
PCR18,off
PCR19,off
PCR20,off
PCR21,off
PCR22,off
PCR23,off
This policy allows you to configure how the computer's TPM security
hardware secures the BitLocker encryption key. This policy setting does not
apply if the computer does not have a compatible TPM or if BitLocker has
already been turned
on with TPM protection. This setting determines what
values the TPM measures when it validates early boot components before
unlocking a drive on a computer running Windows 7 or Windows Server
2008 R2.
More...
If you enable this policy before turning on BitLocker, you can configure the
boot components that the TPM will validate before unlocking access to the
BitLocker-encrypted operating system drive. If any of these components
change while BitLocker protection is in effect, the TPM does not release
the encryption key to unlock the drive and the computer will instead
display the BitLocker recovery console and require that either the recovery
password or recovery key be provided to unlock the drive.
If you disable or do not configure this policy, the TPM uses the default
platform validation profile or the platform validation profile specified by
the setup script. A platform validation profile consists of a set of Platform
Configuration Register (PCR) indices ranging from 0 to 23. The default
platform validation profile secures the encryption key against changes to
the Core Root of Trust of Measurement (CRTM), BIOS, and Platform
Extensions (PCR 0), the Option ROM Code (PCR 2), the Master Boot Record
(MBR) Code (PCR 4), the NTFS Boot Sector (PCR 8), the NTFS Boot Block
(PCR 9), the Boot Manager (PCR 10), and the BitLocker Access Control (PCR
11). The descriptions of PCR settings for computers that use an Extensible
Firmware Interface (EFI) are different than the PCR settings described for
computers that use a standard BIOS. The BitLocker Drive Encryption
Deployment Guide on Microsoft TechNet contains a complete list of PCR
settings for both EFI and standard BIOS.
Caution: Changing from the default platform validation profile affects the
security and manageability of your computer. BitLocker's sensitivity to
platform modifications (malicious or authorized) is increased or decreased
depending upon inclusion or exclusion (respectively) of the PCRs.
To use this policy, Configure TPM Platform Validation Profile must be se
t to
True.
Configure BIOS TPM
Platform Validation
Profile
Not Selected
Selected
Not Selected
Set to Selected to enable boot up BIOS TPM drive unlocking. Selected
allows the configuration of how the BIOS TPM security hardware secures
the BitLocker encryption key. This policy does not apply if the computer
does not have a compatible TPM or if BitLocker has already been turned on
with TPM protection.
This policy must be set to Selected to use the policy Configure Specific BIOS
TPM Platform Settings.
See http://technet.microsoft.com/en-
us/library/jj679890.aspx#BKMK_tpmbios for more information.