none
Bitlocker and firmware updates: What PCR settings to use? RRS feed

  • General discussion

  • Hi,

    I'm setting up our organization to use BitLocker on our Windows 10 Enterprise laptops.  I started testing and noticed if I do a firmware update on the Dell Latitude, the Bitlocker drive goes into recovery mode.  This presents a challenge for me since I'm used to doing remote firmware updates using SCCM.  So obviously I'll need to come up with a solution. 

    I understand I may be able to enable the "Configure TPM platform validation profile for native UEFI firmware configurtations" GPO and remove PCR validation on certain values so BIOS updates can happen without triggering recovery mode. 

    Does anyone know which PCR value this is?

    Tuesday, February 19, 2019 6:46 PM

All replies

  • So I did some testing and this is what I found.  I'm testing on a Dell Latitude with UEFI BIOS.  After each GPO setting change, I would clear the TPM setting in the laptop BIOS, delete the computer object from AD, and reimage the laptop.

    The default setting includes: PCR 0, 2, 4, 11.  As I understand, 11 is required to initiate TPM.

    1. If Secure Boot is enabled on the laptop, a BIOS update ALWAYS triggers recovery mode.  I even tested with PCR 11 the only value checked in the GPO.

    2. If Secure Boot is disabled, I can use PCR options 4 and 11 in the GPO.  With this setting, I can do a BIOS update and the user doesn't get put into recovery mode.

    So now I have to figure out what is most secure.  Should I encrypt the drive, use Secure boot, but not perform BIOS updates over the 3-4 years the user have the laptop?  Should I encrypt the drive, disable Secure boot, and use a smaller set of TPM validation?

    What do you do in your environment?  Our solution must be a managed one, I don't do manual.

    Tuesday, February 19, 2019 11:37 PM
  • Hi OESTech,

    Please refer to this case: https://social.technet.microsoft.com/Forums/ie/en-US/ddc89857-eae4-4678-bb24-b5eb2e68f136/secure-boot-and-bitlocker-on-win10?forum=win10itprosecurity

    Best regards,

    Yilia 


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, February 20, 2019 7:44 AM
    Moderator
  • I'm more interested in discussion by people who do this in their own environment and have something to contribute to the topic.

    Anyone else find a solution for using BitLocker and managing firmware updates remotely?

    Wednesday, February 20, 2019 4:37 PM
  • Hi,

    Sorry for the delayed reply.

    We will change it to general discussion to have other community members discuss this topic.

    Please feel free to post in the forum if any assistance is needed.

    Best regards,

    Yilia 


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, March 5, 2019 8:53 AM
    Moderator
  • Did you ever get an answer oestech? what did you end up using? i am in the same position, where i want to enable bitlocker on UEFI but i dont want to cripple myself as i do a lot of firmware updates and do change the boot order in order to PXE things and such.

    on BIOS i am going to use 0,8,9,10,11 . Just looking for the equivalent command in UEFI for the PCRs. I dont even think i have any bios machines anymore....

    Tuesday, January 28, 2020 9:38 PM