Replace TPM protector with new PCRs

Want to replace the TPM protector on an operating system volume the easy way? Grab this PowerShell script. Why would you want to do this? Because the default TPM platform validation profile (PCR values) on Windows 7 clients is quite sensitive to changes in the boot order, MBR, partition table, attached USB drives etc. If your users are experiencing frequent BitLocker recovery  screens when they e.g. undock their PCs, take a look in the BIOS or even if they have a PC with an NVMe drive…this is for you!

Windows 7 defaults to PCR 0,2,4,5,8,9,10 and 11 at least in some environments that I have seen. In the script below, I have removed PCR 5 which was causing consistent BitLocker recovery screens on Lenovo X270 computers with NVMe disks.

 

Share your thoughts

This site uses Akismet to reduce spam. Learn how your comment data is processed.