Policy

Configure TPM platform validation profile (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2)

Microsoft Windows

Back to Operating System DrivesBack to main
Configure TPM platform validation profile (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2)
Jump to overview

Policy overview

Key metadata and intent for this policy.

Computer
Category
Windows Components > BitLocker Drive Encryption > Operating System Drives
Supported on
Windows Server 2008, Windows 7, and Windows Vista

Supported OS tags: Windows7, WindowsServer2008, WindowsVista

This policy setting allows you to configure how the computer's Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key. This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker has already been turned on with TPM protection. If you enable this policy setting before turning on BitLocker, you can configure the boot components that the TPM will validate before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM will not release the encryption key to unlock the drive and the computer will instead display the BitLocker Recovery console and require that either the recovery password or recovery key be provided to unlock the drive. If you disable or do not configure this policy setting, the TPM uses the default platform validation profile or the platform validation profile specified by the setup script. A platform validation profile consists of a set of Platform Configuration Register (PCR) indices ranging from 0 to 23, The default platform validation profile secures the encryption key against changes to the Core Root of Trust of Measurement (CRTM), BIOS, and Platform Extensions (PCR 0), the Option ROM Code (PCR 2), the Master Boot Record (MBR) Code (PCR 4), the NTFS Boot Sector (PCR 8), the NTFS Boot Block (PCR 9), the Boot Manager (PCR 10), and the BitLocker Access Control (PCR 11). The descriptions of PCR settings for computers that use an Extensible Firmware Interface (EFI) are different than the PCR settings described for computers that use a standard BIOS. Warning: Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending upon inclusion or exclusion (respectively) of the PCRs.

Internal name
PlatformValidation_Deprecated_Name
Policy ID
b7d0daaceb75
Elements
24

Registry values

How enabled and disabled states update the registry.

ScopeRegistry locationTypeEnabled valueDisabled valueCopy
Computer
Path
SOFTWARE\Policies\Microsoft\FVE\PlatformValidation
Value name
Enabled
REG_DWORD
HKLM
1
HKLM
0
Registry location
Type REG_DWORD · Computer
Path
SOFTWARE\Policies\Microsoft\FVE\PlatformValidation
Value name
Enabled
Hive
HKLM
Enabled value
1
Disabled value
0

Policy elements

Inputs and configuration options exposed by this policy.

ScopeElementTypeRegistry mappingConstraints & behaviorCopy
Computer
PCR 0: Core Root of Trust of Measurement (CRTM), BIOS, and Platform Extensions
ID PlatformValidation_Deprecated_Setting0
boolean
Path
SOFTWARE\Policies\Microsoft\FVE\PlatformValidation
Value name
0
Type
REG_DWORD
Options: true (1), false (0)
True: Set value = 1 · False: Set value = 0
Computer
PCR 1: Platform and Motherboard Configuration and Data
ID PlatformValidation_Deprecated_Setting1
boolean
Path
SOFTWARE\Policies\Microsoft\FVE\PlatformValidation
Value name
1
Type
REG_DWORD
Options: true (1), false (0)
True: Set value = 1 · False: Set value = 0
Computer
PCR 2: Option ROM Code
ID PlatformValidation_Deprecated_Setting2
boolean
Path
SOFTWARE\Policies\Microsoft\FVE\PlatformValidation
Value name
2
Type
REG_DWORD
Options: true (1), false (0)
True: Set value = 1 · False: Set value = 0
Computer
PCR 3: Option ROM Configuration and Data
ID PlatformValidation_Deprecated_Setting3
boolean
Path
SOFTWARE\Policies\Microsoft\FVE\PlatformValidation
Value name
3
Type
REG_DWORD
Options: true (1), false (0)
True: Set value = 1 · False: Set value = 0
Computer
PCR 4: Master Boot Record (MBR) Code
ID PlatformValidation_Deprecated_Setting4
boolean
Path
SOFTWARE\Policies\Microsoft\FVE\PlatformValidation
Value name
4
Type
REG_DWORD
Options: true (1), false (0)
True: Set value = 1 · False: Set value = 0
Computer
PCR 5: Master Boot Record (MBR) Partition Table
ID PlatformValidation_Deprecated_Setting5
boolean
Path
SOFTWARE\Policies\Microsoft\FVE\PlatformValidation
Value name
5
Type
REG_DWORD
Options: true (1), false (0)
True: Set value = 1 · False: Set value = 0
Computer
PCR 6: State Transition and Wake Events
ID PlatformValidation_Deprecated_Setting6
boolean
Path
SOFTWARE\Policies\Microsoft\FVE\PlatformValidation
Value name
6
Type
REG_DWORD
Options: true (1), false (0)
True: Set value = 1 · False: Set value = 0
Computer
PCR 7: Computer Manufacturer-Specific
ID PlatformValidation_Deprecated_Setting7
boolean
Path
SOFTWARE\Policies\Microsoft\FVE\PlatformValidation
Value name
7
Type
REG_DWORD
Options: true (1), false (0)
True: Set value = 1 · False: Set value = 0
Computer
PCR 8: NTFS Boot Sector
ID PlatformValidation_Deprecated_Setting8
boolean
Path
SOFTWARE\Policies\Microsoft\FVE\PlatformValidation
Value name
8
Type
REG_DWORD
Options: true (1), false (0)
True: Set value = 1 · False: Set value = 0
Computer
PCR 9: NTFS Boot Block
ID PlatformValidation_Deprecated_Setting9
boolean
Path
SOFTWARE\Policies\Microsoft\FVE\PlatformValidation
Value name
9
Type
REG_DWORD
Options: true (1), false (0)
True: Set value = 1 · False: Set value = 0
Computer
PCR 10: Boot Manager
ID PlatformValidation_Deprecated_Setting10
boolean
Path
SOFTWARE\Policies\Microsoft\FVE\PlatformValidation
Value name
10
Type
REG_DWORD
Options: true (1), false (0)
True: Set value = 1 · False: Set value = 0
Computer
PCR 11: BitLocker Access Control
ID PlatformValidation_Deprecated_Setting11
boolean
Path
SOFTWARE\Policies\Microsoft\FVE\PlatformValidation
Value name
11
Type
REG_DWORD
Options: true (1), false (0)
True: Set value = 1 · False: Set value = 0
Computer
PCR 12: Reserved for Future Use
ID PlatformValidation_Deprecated_Setting12
boolean
Path
SOFTWARE\Policies\Microsoft\FVE\PlatformValidation
Value name
12
Type
REG_DWORD
Options: true (1), false (0)
True: Set value = 1 · False: Set value = 0
Computer
PCR 13: Reserved for Future Use
ID PlatformValidation_Deprecated_Setting13
boolean
Path
SOFTWARE\Policies\Microsoft\FVE\PlatformValidation
Value name
13
Type
REG_DWORD
Options: true (1), false (0)
True: Set value = 1 · False: Set value = 0
Computer
PCR 14: Reserved for Future Use
ID PlatformValidation_Deprecated_Setting14
boolean
Path
SOFTWARE\Policies\Microsoft\FVE\PlatformValidation
Value name
14
Type
REG_DWORD
Options: true (1), false (0)
True: Set value = 1 · False: Set value = 0
Computer
PCR 15: Reserved for Future Use
ID PlatformValidation_Deprecated_Setting15
boolean
Path
SOFTWARE\Policies\Microsoft\FVE\PlatformValidation
Value name
15
Type
REG_DWORD
Options: true (1), false (0)
True: Set value = 1 · False: Set value = 0
Computer
PCR 16: Reserved for Future Use
ID PlatformValidation_Deprecated_Setting16
boolean
Path
SOFTWARE\Policies\Microsoft\FVE\PlatformValidation
Value name
16
Type
REG_DWORD
Options: true (1), false (0)
True: Set value = 1 · False: Set value = 0
Computer
PCR 17: Reserved for Future Use
ID PlatformValidation_Deprecated_Setting17
boolean
Path
SOFTWARE\Policies\Microsoft\FVE\PlatformValidation
Value name
17
Type
REG_DWORD
Options: true (1), false (0)
True: Set value = 1 · False: Set value = 0
Computer
PCR 18: Reserved for Future Use
ID PlatformValidation_Deprecated_Setting18
boolean
Path
SOFTWARE\Policies\Microsoft\FVE\PlatformValidation
Value name
18
Type
REG_DWORD
Options: true (1), false (0)
True: Set value = 1 · False: Set value = 0
Computer
PCR 19: Reserved for Future Use
ID PlatformValidation_Deprecated_Setting19
boolean
Path
SOFTWARE\Policies\Microsoft\FVE\PlatformValidation
Value name
19
Type
REG_DWORD
Options: true (1), false (0)
True: Set value = 1 · False: Set value = 0
Computer
PCR 20: Reserved for Future Use
ID PlatformValidation_Deprecated_Setting20
boolean
Path
SOFTWARE\Policies\Microsoft\FVE\PlatformValidation
Value name
20
Type
REG_DWORD
Options: true (1), false (0)
True: Set value = 1 · False: Set value = 0
Computer
PCR 21: Reserved for Future Use
ID PlatformValidation_Deprecated_Setting21
boolean
Path
SOFTWARE\Policies\Microsoft\FVE\PlatformValidation
Value name
21
Type
REG_DWORD
Options: true (1), false (0)
True: Set value = 1 · False: Set value = 0
Computer
PCR 22: Reserved for Future Use
ID PlatformValidation_Deprecated_Setting22
boolean
Path
SOFTWARE\Policies\Microsoft\FVE\PlatformValidation
Value name
22
Type
REG_DWORD
Options: true (1), false (0)
True: Set value = 1 · False: Set value = 0
Computer
PCR 23: Reserved for Future Use
ID PlatformValidation_Deprecated_Setting23
boolean
Path
SOFTWARE\Policies\Microsoft\FVE\PlatformValidation
Value name
23
Type
REG_DWORD
Options: true (1), false (0)
True: Set value = 1 · False: Set value = 0
PCR 0: Core Root of Trust of Measurement (CRTM), BIOS, and Platform Extensions
Computer · Type boolean
Registry mapping
Path
SOFTWARE\Policies\Microsoft\FVE\PlatformValidation
Value name
0
Type
REG_DWORD
Details
Options: true (1), false (0)
True: Set value = 1 · False: Set value = 0
PCR 1: Platform and Motherboard Configuration and Data
Computer · Type boolean
Registry mapping
Path
SOFTWARE\Policies\Microsoft\FVE\PlatformValidation
Value name
1
Type
REG_DWORD
Details
Options: true (1), false (0)
True: Set value = 1 · False: Set value = 0
PCR 2: Option ROM Code
Computer · Type boolean
Registry mapping
Path
SOFTWARE\Policies\Microsoft\FVE\PlatformValidation
Value name
2
Type
REG_DWORD
Details
Options: true (1), false (0)
True: Set value = 1 · False: Set value = 0
PCR 3: Option ROM Configuration and Data
Computer · Type boolean
Registry mapping
Path
SOFTWARE\Policies\Microsoft\FVE\PlatformValidation
Value name
3
Type
REG_DWORD
Details
Options: true (1), false (0)
True: Set value = 1 · False: Set value = 0
PCR 4: Master Boot Record (MBR) Code
Computer · Type boolean
Registry mapping
Path
SOFTWARE\Policies\Microsoft\FVE\PlatformValidation
Value name
4
Type
REG_DWORD
Details
Options: true (1), false (0)
True: Set value = 1 · False: Set value = 0
PCR 5: Master Boot Record (MBR) Partition Table
Computer · Type boolean
Registry mapping
Path
SOFTWARE\Policies\Microsoft\FVE\PlatformValidation
Value name
5
Type
REG_DWORD
Details
Options: true (1), false (0)
True: Set value = 1 · False: Set value = 0
PCR 6: State Transition and Wake Events
Computer · Type boolean
Registry mapping
Path
SOFTWARE\Policies\Microsoft\FVE\PlatformValidation
Value name
6
Type
REG_DWORD
Details
Options: true (1), false (0)
True: Set value = 1 · False: Set value = 0
PCR 7: Computer Manufacturer-Specific
Computer · Type boolean
Registry mapping
Path
SOFTWARE\Policies\Microsoft\FVE\PlatformValidation
Value name
7
Type
REG_DWORD
Details
Options: true (1), false (0)
True: Set value = 1 · False: Set value = 0
PCR 8: NTFS Boot Sector
Computer · Type boolean
Registry mapping
Path
SOFTWARE\Policies\Microsoft\FVE\PlatformValidation
Value name
8
Type
REG_DWORD
Details
Options: true (1), false (0)
True: Set value = 1 · False: Set value = 0
PCR 9: NTFS Boot Block
Computer · Type boolean
Registry mapping
Path
SOFTWARE\Policies\Microsoft\FVE\PlatformValidation
Value name
9
Type
REG_DWORD
Details
Options: true (1), false (0)
True: Set value = 1 · False: Set value = 0
PCR 10: Boot Manager
Computer · Type boolean
Registry mapping
Path
SOFTWARE\Policies\Microsoft\FVE\PlatformValidation
Value name
10
Type
REG_DWORD
Details
Options: true (1), false (0)
True: Set value = 1 · False: Set value = 0
PCR 11: BitLocker Access Control
Computer · Type boolean
Registry mapping
Path
SOFTWARE\Policies\Microsoft\FVE\PlatformValidation
Value name
11
Type
REG_DWORD
Details
Options: true (1), false (0)
True: Set value = 1 · False: Set value = 0
PCR 12: Reserved for Future Use
Computer · Type boolean
Registry mapping
Path
SOFTWARE\Policies\Microsoft\FVE\PlatformValidation
Value name
12
Type
REG_DWORD
Details
Options: true (1), false (0)
True: Set value = 1 · False: Set value = 0
PCR 13: Reserved for Future Use
Computer · Type boolean
Registry mapping
Path
SOFTWARE\Policies\Microsoft\FVE\PlatformValidation
Value name
13
Type
REG_DWORD
Details
Options: true (1), false (0)
True: Set value = 1 · False: Set value = 0
PCR 14: Reserved for Future Use
Computer · Type boolean
Registry mapping
Path
SOFTWARE\Policies\Microsoft\FVE\PlatformValidation
Value name
14
Type
REG_DWORD
Details
Options: true (1), false (0)
True: Set value = 1 · False: Set value = 0
PCR 15: Reserved for Future Use
Computer · Type boolean
Registry mapping
Path
SOFTWARE\Policies\Microsoft\FVE\PlatformValidation
Value name
15
Type
REG_DWORD
Details
Options: true (1), false (0)
True: Set value = 1 · False: Set value = 0
PCR 16: Reserved for Future Use
Computer · Type boolean
Registry mapping
Path
SOFTWARE\Policies\Microsoft\FVE\PlatformValidation
Value name
16
Type
REG_DWORD
Details
Options: true (1), false (0)
True: Set value = 1 · False: Set value = 0
PCR 17: Reserved for Future Use
Computer · Type boolean
Registry mapping
Path
SOFTWARE\Policies\Microsoft\FVE\PlatformValidation
Value name
17
Type
REG_DWORD
Details
Options: true (1), false (0)
True: Set value = 1 · False: Set value = 0
PCR 18: Reserved for Future Use
Computer · Type boolean
Registry mapping
Path
SOFTWARE\Policies\Microsoft\FVE\PlatformValidation
Value name
18
Type
REG_DWORD
Details
Options: true (1), false (0)
True: Set value = 1 · False: Set value = 0
PCR 19: Reserved for Future Use
Computer · Type boolean
Registry mapping
Path
SOFTWARE\Policies\Microsoft\FVE\PlatformValidation
Value name
19
Type
REG_DWORD
Details
Options: true (1), false (0)
True: Set value = 1 · False: Set value = 0
PCR 20: Reserved for Future Use
Computer · Type boolean
Registry mapping
Path
SOFTWARE\Policies\Microsoft\FVE\PlatformValidation
Value name
20
Type
REG_DWORD
Details
Options: true (1), false (0)
True: Set value = 1 · False: Set value = 0
PCR 21: Reserved for Future Use
Computer · Type boolean
Registry mapping
Path
SOFTWARE\Policies\Microsoft\FVE\PlatformValidation
Value name
21
Type
REG_DWORD
Details
Options: true (1), false (0)
True: Set value = 1 · False: Set value = 0
PCR 22: Reserved for Future Use
Computer · Type boolean
Registry mapping
Path
SOFTWARE\Policies\Microsoft\FVE\PlatformValidation
Value name
22
Type
REG_DWORD
Details
Options: true (1), false (0)
True: Set value = 1 · False: Set value = 0
PCR 23: Reserved for Future Use
Computer · Type boolean
Registry mapping
Path
SOFTWARE\Policies\Microsoft\FVE\PlatformValidation
Value name
23
Type
REG_DWORD
Details
Options: true (1), false (0)
True: Set value = 1 · False: Set value = 0