BitLocker Plus

Note: This article assumes you have Windows 7 Ultimate, or Windows 10 Professional

So, you've got BitLocker working? (possibly using our article?)

Well, assuming you have a TPM module installed and BitLocker configured, you might think "that's it!" - and to some degree, you'd be right.

BitLocker will now be encrypting your data, and if you followed our article, quite possibly utilizing an external USB key for additional security. This means that to access your data, someone has to:

  1. Have access to your PC and hard drives with the TPM module present

  2. Have a copy of the USB key on a USB drive, inserted into the system at boot time

This protects your data from inadvertent use (as long as you remove the USB key when you shutdown the system) and prevents your data being accessed if your disks are removed from the system - even if someone has the security keys, as the physical TPM is also required.

However, what happens if :

  1. A virus/trojan manages to infect your PC when it's running

  2. Someone tampers with the BIOS

The letters "TPM" stand for Trusted Platform Module, and the module is there to enable you, quite literally, to "trust your platform", but to really get this working, you need to make some more changes, but before you do, please be very aware that:

Enabling these settings will require you to remember they are enabled. If you wish to make changes to your PC configuration (i.e. BIOS updates) once these settings are made, you must be aware how to temporarily disable TPM security otherwise your machine may require your recovery key each time you boot. Details on this are further down the article.

Start Group Policy, and navigate to

Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives

Then double-click "Configure TPM platform validation profile"

The pop-up window you will now see allows you to select how sensitive you wish your machine to be to changes. You can set your machine & TPM to validate that the BIOS is intact, your BIOS settings have not changed, your hard disk boot sector has not been tampered with, and so on.

First of all, switch the "Configure TPM platform validation profile" setting to "Enabled"

You should note that the help text in the left column states:

We recommend the default of PCRs 0, 2, 4, 5, 8, 9, 10 and 11.

For BitLocker protection to take effect, you must include PCR 11.

The PCRs are Platform Configuration Registers, which (if selected) are value checked, with those values being stored inside the TPM itself, and then each value is checked the system boots. If the value has changed, system security and integrity is deemed to be insecure, and remedial action is required (i.e. use of the system recovery key).

TechBobbins recommends you select (check) the above listed PCRs. Their name and function is described below.

PCR 0 : Core Root of Trust Measurement (CRTM), BIOS and Platform Extensions

This PCR obstensibly checks the PC BIOS (not including BIOS settings) has not been changed. A changed BIOS may be a result of altered system configuration (i.e. tampering) which may result in vulnerabilities (i.e. booting from other devices)

PCR 2 : Option ROM Code

This PCR checks any option ROMs (i.e. motherboard device code, for items such as Intel SATA/RAID controller code) have not been changed. Option ROMs are typically included in BIOS updates. Changed Option ROMs may be a result of altered system configuration (i.e. tampering) which may result in vulnerabilities (i.e. insecure data transmission)

PCR 4 : Master Boot Record (MBR) Code

This PCR ensures your hard disk Master Boot Record code has not been tampered with. Some viruses, trojans and rootkits will try to amend the MBR to ensure they (or their code) is loaded at system startup.

PCR 5 : Master Boot Record (MBR) Partition Table

This PCR ensures that no partitions have been amended on your disks.

PCR 8 : NTFS Boot Sector

This PCR ensures that the Operating System startup location & initialisation code (for Windows) has not been tampered with.

Some viruses, trojans and rootkits will try to amend the NTFS Boot Sector to ensure they (or their code) is loaded at system startup.

PCR 9 : NTFS Boot Block

This PCR ensures that the Operating System startup location & initialisation code (for Windows) has not been tampered with.

Some viruses, trojans and rootkits will try to amend the NTFS Boot Sector to ensure they (or their code) is loaded at system startup.

PCR 10 : Boot Manager

This PCR ensures that the Operating System boot manager (i.e. which version of Windows or other O/S is selected to load) has not been tampered with.

PCR 11 : BitLocker Access Control

This is required to enable BitLocker to work.

The above settings will however, still allow anyone to amend individual BIOS settings (i.e. enabled boot devices) or reset BIOS settings to default with no problem. TechBobbins would recommend the use of a BIOS administrator/owner password to provide general protection, however to ensure complete protection, consider also enabled PCRs 1 and 3 :

PCR 1 : Platform and Motherboard Configuration and Data

This PCR checks for any changes to BIOS configuration. Changed configurations may be a result of altered system configuration (i.e. tampering) which may result in vulnerabilities (i.e. booting from an unapproved device)

PCR 3 : Option ROM Configuration and Data

This PCR checks for any changes to Option ROM configuration. Changed configurations may be a result of altered system configuration (i.e. tampering) which may result in vulnerabilities (i.e. degraded RAID configuration)

Note: Anyone using Windows based motherboard/BIOS configuration tools such as the Intel Extreme Tuning utility, or manufacturer related tools like Gigabyte's "EasyTune" and "touchBIOS" should not enable PCRs 1 and 3, as these utilities will amend the BIOS and cause a BitLocker recovery event on every boot.

If you have any of PCRs 0, 1, 2 and 3 enabled and wish to amend system BIOS configuration, you should suspend BitLocker protection before amending your BIOS/ROM configuration.

Similarly, if you have any of PCRs 4, 5, 8, 9 and 10 enabled and wish to make changes to your disks or boot configuration (i.e. install a second operating system), you should suspend BitLocker protection before amending your configuration.

To do this:

  1. Start BitLocker - Click Start, type in bitlocker and click on BitLocker Drive Encryption

  2. Next to your C: drive, click "Suspend Protection"

  3. Click "Yes"

You may then make changes to your system. Once your changes are complete, you should resume BitLocker protection, thusly :

  1. Start BitLocker - Click Start, type in bitlocker and click on BitLocker Drive Encryption

  2. Next to your C: drive, click "Resume Protection"

This should reset BitLocker, storing the new configuration baseline in the TPM.

If at any point you fail to correctly suspect BitLocker before making changes, you may well find your system requires your BitLocker recovery key, each and every time you boot. This can be irritating at best, but is of course just BitLocker doing it's job, telling you your system is not matching the security baseline it originally installed with.

If this occurs, you can try three things:

  1. Suspend Bitlocker (as above), reboot, then Resume BitLocker (as above), reboot. This may reset BitLocker protection.

  2. Disable all selected PCRs except PCR 11. Reboot. Re-enable the required PCRs. Reboot. This should reset BitLocker protection.

  3. Turn Off BitLocker, decrypting the drive, then turning BitLocker back On. This will re-initialise BitLocker
    NOTE: This will generate new BitLocker recovery & startup keys and is a last resort!

TechnoBobbins would also like to take this opportunity to recommend you read our article on Securing Your Computing.