Change BitLocker TPM Platform Validation Profile on the go

Scenario: You have enabled BitLocker in your enterprise with default settings. Now the service desk gets frequent calls from end users because their PCs have entered BitLocker recovery mode after a reboot.

This can be triggered by e.g. attaching a USB stick or installing a printer or even by accidentally pressing F12 during boot and then choosing to boot from your normal disk drive. This happens because the default TPM Platform Validation Profile is a bit aggressive (in my opinion).

To change the TPM Platform Validation Profile you don’t have to disable BitLocker and decrypt the disk (volume). Suspending and resuming BitLocker won’t do the trick but you can change the settings on the go as described below. The settings are located in the registry and can be configured either manually, by script or by Group Policy Settings. However, changing the registry settings won’t directly change the TPM Platform Validation Profile on a volume with BitLocker already enabled. You have to remove and then re-add the TPM protector. The new TPM Platform Validation Profile will then be applied when the TPM protector is added to the BitLocker volume again.

Please note that a BitLocker encrypted volume can have one or more protectors, e.g. a TPM protector, a recovery password protector, a USB key protector etc. Only one TPM protector can exist for a BitLocker volume, but you can add multiple recovery password protectors if you like.

Before beginning, I strongly suggest that you write down the recovery password on a piece of paper. You can get the password by running this command in an elevated CMD prompt or PowerShell console:

To check which TPM Platform Validation Profile is active for a BitLocker volume, check out my other blog post. Here is a condensed version which gets the BitLocker volume object and then finds the TPM key protector ID (the one with keyprotectortype 1):

Verify that the “wrong” TPM Platform Validation profile is in effect:

The TPM Platform Validation profile is defined by a set of numbers (Platform Configuration Registers, described here). The default values are 0, 2, 4, 8, 9, 10 and 11 (only 0, 2, 4 and 11 for UEFI).

Now delete the TPM protector and check that it’s gone:

Before continuing, modify the registry settings on the PC in order to ensure that the new TPM Platform Validation profile will be applied to the TPM key protector in the next step. There is a nice post about how to do it with GPO settings here:

Finally, add the new TPM key protector and verify that the desired TPM Platform Validation profile has been applied:

Actually, you can even set the desired TPM Platform Validation profile directly in the ProtecKeyWithTPM command:

Now comes the questions of which Platform Configuration Registers to use in the TPM Platform Validation profile. I won’t get into that in this post, but the minimum is PCR 11 which essentially just means that the TPM key protector can unlock the encrypted volume.

Note: If you remove the TPM key protector and don’t add a new one, you will need other means of unlocking the volume after a reboot, e.g. a recovery password.

Share your thoughts

This site uses Akismet to reduce spam. Learn how your comment data is processed.