Replace TPM protector with new PCRs
Want to replace the TPM protector on an operating system volume the easy way? Grab this PowerShell script. Why would you want to do this? Because the default TPM platform validation profile (PCR values) on Windows 7 clients is quite sensitive to changes in the boot order, MBR, partition table, attached USB drives etc. If your users are experiencing frequent BitLocker recovery screens when they e.g. undock their PCs, take a look in the BIOS or even if they have a PC with an NVMe drive…this is for you!
Windows 7 defaults to PCR 0,2,4,5,8,9,10 and 11 at least in some environments that I have seen. In the script below, I have removed PCR 5 which was causing consistent BitLocker recovery screens on Lenovo X270 computers with NVMe disks.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 |
# Define log file name and location $LogPath = "C:\temp" $LogFileName = "$env:COMPUTERNAME.log" $LogFile = "$LogPath\$LogFileName" function LogWrite([string]$LogString) { try { Add-content $script:LogFile -value "$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss') $LogString" -force -ErrorAction Stop } catch { Write-Warning $_.Exception.Message } } #Initialize log file location if (!(Test-Path $LogPath)) { try { New-Item $LogPath -type directory -ErrorAction Stop | Out-Null } catch { $LogFile = "c:\Windows\Temp\$LogFileName" Write-Warning "Log folder could not be created in chosen location. Log saved to c:\Windows\Temp instead." Write-Warning ("$_.Exception.Message") } } LogWrite "### START OF SCRIPT ###" LogWrite "Running script as $env:username" # Ignore existing regsitry and file items $ErrorActionPreference = "SilentlyContinue" LogWrite "Creating registry keys and setting registry values" # Set Default Bitlocker Policies if(!(Test-Path -Path 'HKLM:\Software\Policies\Microsoft\FVE')) { New-Item -Path HKLM:\Software\Policies\Microsoft\FVE } # set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE -name 'IdentificationField' -value '1' -Type DWord # set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE -name 'IdentificationFieldString' -value 'Contoso' # set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE -name 'EncryptionMethod' -value '4' -Type DWord if(!(Test-Path -Path 'HKLM:\Software\Policies\Microsoft\FVE\PlatformValidation')) { New-Item -Path HKLM:\Software\Policies\Microsoft\FVE\PlatformValidation } set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\PlatformValidation -name '0' -value '00000001' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\PlatformValidation -name '1' -value '00000000' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\PlatformValidation -name '2' -value '00000001' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\PlatformValidation -name '3' -value '00000000' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\PlatformValidation -name '4' -value '00000001' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\PlatformValidation -name '5' -value '00000000' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\PlatformValidation -name '6' -value '00000000' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\PlatformValidation -name '7' -value '00000000' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\PlatformValidation -name '8' -value '00000001' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\PlatformValidation -name '9' -value '00000001' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\PlatformValidation -name '10' -value '00000001' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\PlatformValidation -name '11' -value '00000001' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\PlatformValidation -name '12' -value '00000000' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\PlatformValidation -name '13' -value '00000000' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\PlatformValidation -name '14' -value '00000000' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\PlatformValidation -name '15' -value '00000000' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\PlatformValidation -name '16' -value '00000000' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\PlatformValidation -name '17' -value '00000000' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\PlatformValidation -name '18' -value '00000000' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\PlatformValidation -name '19' -value '00000000' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\PlatformValidation -name '20' -value '00000000' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\PlatformValidation -name '21' -value '00000000' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\PlatformValidation -name '22' -value '00000000' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\PlatformValidation -name '23' -value '00000000' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\PlatformValidation -name 'Enabled' -value '00000001' -Type DWord New-Item -Path HKLM:\Software\Policies\Microsoft\FVE\OSPlatformValidation_UEFI set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\OSPlatformValidation_UEFI -name '0' -value '00000001' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\OSPlatformValidation_UEFI -name '1' -value '00000000' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\OSPlatformValidation_UEFI -name '2' -value '00000001' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\OSPlatformValidation_UEFI -name '3' -value '00000000' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\OSPlatformValidation_UEFI -name '4' -value '00000001' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\OSPlatformValidation_UEFI -name '5' -value '00000000' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\OSPlatformValidation_UEFI -name '6' -value '00000000' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\OSPlatformValidation_UEFI -name '7' -value '00000000' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\OSPlatformValidation_UEFI -name '8' -value '00000001' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\OSPlatformValidation_UEFI -name '9' -value '00000001' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\OSPlatformValidation_UEFI -name '10' -value '00000001' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\OSPlatformValidation_UEFI -name '11' -value '00000001' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\OSPlatformValidation_UEFI -name '12' -value '00000000' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\OSPlatformValidation_UEFI -name '13' -value '00000000' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\OSPlatformValidation_UEFI -name '14' -value '00000000' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\OSPlatformValidation_UEFI -name '15' -value '00000000' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\OSPlatformValidation_UEFI -name '16' -value '00000000' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\OSPlatformValidation_UEFI -name '17' -value '00000000' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\OSPlatformValidation_UEFI -name '18' -value '00000000' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\OSPlatformValidation_UEFI -name '19' -value '00000000' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\OSPlatformValidation_UEFI -name '20' -value '00000000' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\OSPlatformValidation_UEFI -name '21' -value '00000000' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\OSPlatformValidation_UEFI -name '22' -value '00000000' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\OSPlatformValidation_UEFI -name '23' -value '00000000' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\OSPlatformValidation_UEFI -name 'Enabled' -value '00000001' -Type DWord New-Item -Path HKLM:\Software\Policies\Microsoft\FVE\OSPlatformValidation_BIOS set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\OSPlatformValidation_BIOS -name '0' -value '00000001' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\OSPlatformValidation_BIOS -name '1' -value '00000000' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\OSPlatformValidation_BIOS -name '2' -value '00000001' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\OSPlatformValidation_BIOS -name '3' -value '00000000' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\OSPlatformValidation_BIOS -name '4' -value '00000001' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\OSPlatformValidation_BIOS -name '5' -value '00000000' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\OSPlatformValidation_BIOS -name '6' -value '00000000' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\OSPlatformValidation_BIOS -name '7' -value '00000000' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\OSPlatformValidation_BIOS -name '8' -value '00000001' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\OSPlatformValidation_BIOS -name '9' -value '00000001' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\OSPlatformValidation_BIOS -name '10' -value '00000001' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\OSPlatformValidation_BIOS -name '11' -value '00000001' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\OSPlatformValidation_BIOS -name '12' -value '00000000' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\OSPlatformValidation_BIOS -name '13' -value '00000000' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\OSPlatformValidation_BIOS -name '14' -value '00000000' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\OSPlatformValidation_BIOS -name '15' -value '00000000' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\OSPlatformValidation_BIOS -name '16' -value '00000000' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\OSPlatformValidation_BIOS -name '17' -value '00000000' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\OSPlatformValidation_BIOS -name '18' -value '00000000' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\OSPlatformValidation_BIOS -name '19' -value '00000000' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\OSPlatformValidation_BIOS -name '20' -value '00000000' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\OSPlatformValidation_BIOS -name '21' -value '00000000' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\OSPlatformValidation_BIOS -name '22' -value '00000000' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\OSPlatformValidation_BIOS -name '23' -value '00000000' -Type DWord set-itemproperty -path HKLM:\Software\Policies\Microsoft\FVE\OSPlatformValidation_BIOS -name 'Enabled' -value '00000001' -Type DWord # Get the encryptable volume object for the OS disk $volume = Get-WMIObject -Namespace "root/CIMV2/Security/MicrosoftVolumeEncryption" -Class 'Win32_EncryptableVolume' -Filter "DriveLetter='C:'" LogWrite "Trying to replace the TPM protector on $($volume.DriveLetter)" # Get the ID of the existing TPM protector for the volume $TPMprotectorID = $volume.getkeyprotectors().VolumeKeyProtectorID | where {$volume.getkeyprotectortype($_).keyprotectortype -eq 1} LogWrite "Found this TPM protector: $TPMprotectorID" # Get the TPM Platform Validation Profile (PCRs) for the existing TPM protector $PCRs = $volume.GetKeyProtectorPlatformValidationProfile($TPMprotectorID).PlatformValidationProfile LogWrite "The existing TPM has these active PCRs: $PCRs" # Delete the existing TPM protector LogWrite "Trying to delete the existing TPM protector" $delete_return = $volume.DeleteKeyProtector($TPMprotectorID) if ($delete_return.ReturnValue -eq '0') { LogWrite 'Successfully deleted the existing TPM protector' } elseif ($delete_return.ReturnValue -eq '2147746291') { LogWrite 'TPM protector does not exist' } else { LogWrite "Unknown error: $($delete_return.ReturnValue)" } # Define new TPM Platform Validation Profile (PCRs) $NewPCRs = @(0,2,4,8,9,10,11) # Add a new TPM protector with the new PCRs to the volume LogWrite "Trying to add a new TPM protector with these PCRs: $NewPCRs" $return = $volume.ProtectKeyWithTPM("ProtectWithTPM1", $NewPCRs) if ($return.ReturnValue -eq '0') { LogWrite "Successfully added a new TPM protector: $($return.VolumeKeyProtectorID)" } elseif ($return.ReturnValue -eq '2147942487') { LogWrite 'Error: GPO conflict' } else { LogWrite "Unknown error: $($return.ReturnValue)" } # Get the ID of the new TPM protector for the volume $NewTPMprotectorID = $volume.getkeyprotectors().VolumeKeyProtectorID | where {$volume.getkeyprotectortype($_).keyprotectortype -eq 1} $ResultingPCRs = $volume.GetKeyProtectorPlatformValidationProfile($NewTPMprotectorID).PlatformValidationProfile LogWrite "The resulting TPM has these active PCRs: $ResultingPCRs" |