none
PCR Settings and BitLocker

    Question

  • This is a follow up to a previous question.  With my organization rolling out Thunderbolt docks, we have had Bitlocker prompt for recovery keys after they undock and power up.  I have found through some research that if we uncheck PCR 2, this will not occur.  What kind of security vulnerabilities will I open up by Bitlocker not checking for PCR 2?  I have searched the web and havent found anything yet.  

    Any documentation that can point me to the drawbacks?

    Wednesday, March 1, 2017 6:55 PM

All replies

  • Hi John Mintz,

    "I have found through some research that if we uncheck PCR 2, this will not occur. "
    I am not sure where you found the information.

    Here is a link for reference of the BitLocker Recovery mode.
    BitLocker Recovery Guide
    https://technet.microsoft.com/en-us/library/dn383583(v=ws.11).aspx

    According to the following information, I think it is an expected behavior that the machine will go into recovery mode after we docked the machine. It depends on the computer manufacturer and the BIOS.
    "Docking or undocking a portable computer. In some instances (depending on the computer manufacturer and the BIOS), the docking condition of the portable computer is part of the system measurement and must be consistent to validate the system status and unlock BitLocker. This means that if a portable computer is connected to its docking station when BitLocker is turned on, then it might also need to be connected to the docking station when it is unlocked. Conversely, if a portable computer is not connected to its docking station when BitLocker is turned on, then it might need to be disconnected from the docking station when it is unlocked."

    For the "PCR 2" setting, it depends on the BIOS. Changing this setting will cause Bitlocker to enter recovery mode, too.
    "Some computers have BIOS settings that skip measurements to certain PCRs, such as PCR[2]. Changing this setting in the BIOS would cause BitLocker to enter recovery mode because the PCR measurement will be different."

    Best regards


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    Thursday, March 2, 2017 2:14 AM
    Moderator
  • I understand that part.  My question is what kind of security issues am I opening myself up to if I do not have bitlocker to check the PCR2?

    Thursday, March 2, 2017 3:21 PM
  • Hi John Mintz,

    As far as I know, PCR2 stored "Option ROM Code". I didn`t find any official article but I found the following information:

    "PCR 2 : Option ROM Code
    This PCR checks any option ROMs (i.e. motherboard device code, for items such as Intel SATA/RAID controller code) have not been changed.  Option ROMs are typically included in BIOS updates.  Changed Option ROMs may be a result of altered system configuration (i.e. tampering) which may result in vulnerabilities (i.e. insecure data transmission)"

    BitLocker Plus
    https://sites.google.com/site/techbobbins/home/articles/setting-up-bitlocker/bitlocker-plus

    Best regards


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, March 3, 2017 9:48 AM
    Moderator
  • To extend MeipoXu's answer: if we turn off PCR2 measurement, the attacker might tamper with your bios without recovery mode being triggered. Modern bios' offer things like VNC server or other remote control uses, so it is potentially very dangerous depending on what your bios allows. If however, you set a password for your bios, he will not be able to turn these on unless he gets around the bios password which is pretty complicated on laptops (more than just removing the battery). So that's what I would do: use bios passwords.
    Wednesday, March 8, 2017 8:18 AM