Reference Guide
Security Management Server Virtual v10.2.11 AdminHelp
PCR8,on
PCR9,on
PCR10,on
PCR11,on
PCR12,off
PCR13,off
PCR14,off
PCR15,off
PCR16,off
PCR17,off
PCR18,off
PCR19,off
PCR20,off
PCR21,off
PCR22,off
PCR23,off
More...
If you enable this policy before turning on BitLocker, you can
configure the boot components that the TPM will validate
before unlocking access to the BitLocker-encrypted operating
system drive. If any of these components change while
BitLocker protection is in effect, the TPM does not release
the encryption key to unlock the drive and the computer will
instead display the BitLocker recovery console and require
that either the recovery password or recovery key be provided
to unlock the drive.
If you disable or do not configure this policy, the TPM uses
the default platform validation profile or the platform
validation profile specified by the setup script. A platform
validation profile consists of a set of Platform Configuration
Register (PCR) indices ranging from 0 to 23. The default
platform validation profile secures the encryption key against
changes to the Core Root of Trust of Measurement (CRTM), BIOS,
and Platform Extensions (PCR 0), the Option ROM Code (PCR 2),
the Master Boot Record (MBR) Code (PCR 4), the NTFS Boot
Sector (PCR 8), the NTFS Boot Block (PCR 9), the Boot Manager
(PCR 10), and the BitLocker Access Control (PCR 11). The
descriptions of PCR settings for computers that use an
Extensible Firmware Interface (EFI) are differen
t than the PCR
settings described for computers that use a standard BIOS. The
BitLocker Drive Encryption Deployment Guide on Microsoft
TechNet contains a complete list of PCR settings for both EFI
and standard BIOS.
Caution: Changing from the default platf
orm validation profile
affects the security and manageability of your computer.
BitLocker's sensitivity to platform modifications (malicious
or authorized) is increased or decreased depending upon
inclusion or exclusion (respectively) of the PCRs.
To use t
his policy, Configure TPM Platform Validation Profile
must be set to True.
Configure BIOS
TPM Platform
Validation
Profile
Not Selected
Selected
Not Selected
Set to Selected to enable boot up BIOS TPM drive unlocking.
Selected allows the configuration of h
ow the BIOS TPM security
hardware secures the BitLocker encryption key. This policy
does not apply if the computer does not have a compatible TPM
or if BitLocker has already been turned on with TPM
protection.
This policy must be set to Selected to use the policy
Configure Specific BIOS TPM Platform Settings.
See http://technet.microsoft.com/en-
us/library/jj679890.aspx#BKMK_tpmbios for more information.
Configure
Specific BIOS
TPM Platform
Settings
PCR0,on
PCR1,off
PCR2,on
PCR3,off
PCR4,on
PCR5,off
PCR6,off
PCR7,off
PCR8,on
PCR9,on
PCR10,on
PCR11,on
PCR12,off
PCR13,off
PCR14,off
PCR15,off
PCR16,off
This policy setting allows you to configure how the computer's
TPM security hardware secures the BitLocker encryption key.
This setting determines what values the TPM measures when it
validates early boot components before unlocking an operatin
g
system drive on a computer with BIOS configuration or with
UEFI firmware that has the Compatibility Support Module (CSM)
enabled.
If you enable this policy before turning on BitLocker, you can
configure the boot components that the TPM will validate
before unlocking access to the BitLocker-encrypted operating
system drive. If any of these components change while
BitLocker protection is in effect, the TPM does not release
the encryption key to unlock the drive and the computer will
instead display the BitLocker recovery console and require
that either the recovery password or recovery key be provided
to unlock the drive.
To use this policy, Configure BIOS TPM Platform Validation
151