Policy
Configure TPM platform validation profile for BIOS-based firmware configurations
Windows 11 25H2
Policy overview
Key metadata and intent for this policy.
Supported OS tags: Windows8, WindowsServer2012
This policy setting allows you to configure how the computer's Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key. This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker has already been turned on with TPM protection. Important: This group policy only applies to computers with BIOS configurations or to computers with UEFI firmware with a Compatibility Service Module (CSM) enabled. Computers using a native UEFI firmware configuration store different values into the Platform Configuration Registers (PCRs). Use the "Configure TPM platform validation profile for native UEFI firmware configurations" group policy setting to configure the TPM PCR profile for computers using native UEFI firmware. If you enable this policy setting before turning on BitLocker, you can configure the boot components that the TPM will validate before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM will not release the encryption key to unlock the drive and the computer will instead display the BitLocker Recovery console and require that either the recovery password or recovery key be provided to unlock the drive. If you disable or do not configure this policy setting, BitLocker uses the default platform validation profile or the platform validation profile specified by the setup script. A platform validation profile consists of a set of Platform Configuration Register (PCR) indices ranging from 0 to 23. The default platform validation profile secures the encryption key against changes to the Core Root of Trust of Measurement (CRTM), BIOS, and Platform Extensions (PCR 0), the Option ROM Code (PCR 2), the Master Boot Record (MBR) Code (PCR 4), the NTFS Boot Sector (PCR 8), the NTFS Boot Block (PCR 9), the Boot Manager (PCR 10), and the BitLocker Access Control (PCR 11). Warning: Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending upon inclusion or exclusion (respectively) of the PCRs.
Registry values
How enabled and disabled states update the registry.
| Registry location | Type | Enabled value | Disabled value |
|---|---|---|---|
| HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\Enabled | REG_DWORD | 1 | 0 |
Policy elements
Inputs and configuration options exposed by this policy.
| Element | Type | Registry mapping | Constraints & behavior |
|---|---|---|---|
PCR 0: Core Root of Trust of Measurement (CRTM), BIOS, and Platform Extensions ID PlatformValidation_BIOS_Setting0 | boolean | HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\0 Type REG_DWORD | Options: true (1), false (0) True: Set value = 1 · False: Set value = 0 |
PCR 1: Platform and Motherboard Configuration and Data ID PlatformValidation_BIOS_Setting1 | boolean | HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\1 Type REG_DWORD | Options: true (1), false (0) True: Set value = 1 · False: Set value = 0 |
PCR 2: Option ROM Code ID PlatformValidation_BIOS_Setting2 | boolean | HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\2 Type REG_DWORD | Options: true (1), false (0) True: Set value = 1 · False: Set value = 0 |
PCR 3: Option ROM Configuration and Data ID PlatformValidation_BIOS_Setting3 | boolean | HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\3 Type REG_DWORD | Options: true (1), false (0) True: Set value = 1 · False: Set value = 0 |
PCR 4: Master Boot Record (MBR) Code ID PlatformValidation_BIOS_Setting4 | boolean | HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\4 Type REG_DWORD | Options: true (1), false (0) True: Set value = 1 · False: Set value = 0 |
PCR 5: Master Boot Record (MBR) Partition Table ID PlatformValidation_BIOS_Setting5 | boolean | HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\5 Type REG_DWORD | Options: true (1), false (0) True: Set value = 1 · False: Set value = 0 |
PCR 6: State Transition and Wake Events ID PlatformValidation_BIOS_Setting6 | boolean | HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\6 Type REG_DWORD | Options: true (1), false (0) True: Set value = 1 · False: Set value = 0 |
PCR 7: Computer Manufacturer-Specific ID PlatformValidation_BIOS_Setting7 | boolean | HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\7 Type REG_DWORD | Options: true (1), false (0) True: Set value = 1 · False: Set value = 0 |
PCR 8: NTFS Boot Sector ID PlatformValidation_BIOS_Setting8 | boolean | HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\8 Type REG_DWORD | Options: true (1), false (0) True: Set value = 1 · False: Set value = 0 |
PCR 9: NTFS Boot Block ID PlatformValidation_BIOS_Setting9 | boolean | HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\9 Type REG_DWORD | Options: true (1), false (0) True: Set value = 1 · False: Set value = 0 |
PCR 10: Boot Manager ID PlatformValidation_BIOS_Setting10 | boolean | HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\10 Type REG_DWORD | Options: true (1), false (0) True: Set value = 1 · False: Set value = 0 |
PCR 11: BitLocker Access Control ID PlatformValidation_BIOS_Setting11 | boolean | HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\11 Type REG_DWORD | Options: true (1), false (0) True: Set value = 1 · False: Set value = 0 |
PCR 12: Reserved for Future Use ID PlatformValidation_BIOS_Setting12 | boolean | HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\12 Type REG_DWORD | Options: true (1), false (0) True: Set value = 1 · False: Set value = 0 |
PCR 13: Reserved for Future Use ID PlatformValidation_BIOS_Setting13 | boolean | HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\13 Type REG_DWORD | Options: true (1), false (0) True: Set value = 1 · False: Set value = 0 |
PCR 14: Reserved for Future Use ID PlatformValidation_BIOS_Setting14 | boolean | HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\14 Type REG_DWORD | Options: true (1), false (0) True: Set value = 1 · False: Set value = 0 |
PCR 15: Reserved for Future Use ID PlatformValidation_BIOS_Setting15 | boolean | HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\15 Type REG_DWORD | Options: true (1), false (0) True: Set value = 1 · False: Set value = 0 |
PCR 16: Reserved for Future Use ID PlatformValidation_BIOS_Setting16 | boolean | HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\16 Type REG_DWORD | Options: true (1), false (0) True: Set value = 1 · False: Set value = 0 |
PCR 17: Reserved for Future Use ID PlatformValidation_BIOS_Setting17 | boolean | HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\17 Type REG_DWORD | Options: true (1), false (0) True: Set value = 1 · False: Set value = 0 |
PCR 18: Reserved for Future Use ID PlatformValidation_BIOS_Setting18 | boolean | HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\18 Type REG_DWORD | Options: true (1), false (0) True: Set value = 1 · False: Set value = 0 |
PCR 19: Reserved for Future Use ID PlatformValidation_BIOS_Setting19 | boolean | HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\19 Type REG_DWORD | Options: true (1), false (0) True: Set value = 1 · False: Set value = 0 |
PCR 20: Reserved for Future Use ID PlatformValidation_BIOS_Setting20 | boolean | HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\20 Type REG_DWORD | Options: true (1), false (0) True: Set value = 1 · False: Set value = 0 |
PCR 21: Reserved for Future Use ID PlatformValidation_BIOS_Setting21 | boolean | HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\21 Type REG_DWORD | Options: true (1), false (0) True: Set value = 1 · False: Set value = 0 |
PCR 22: Reserved for Future Use ID PlatformValidation_BIOS_Setting22 | boolean | HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\22 Type REG_DWORD | Options: true (1), false (0) True: Set value = 1 · False: Set value = 0 |
PCR 23: Reserved for Future Use ID PlatformValidation_BIOS_Setting23 | boolean | HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS\23 Type REG_DWORD | Options: true (1), false (0) True: Set value = 1 · False: Set value = 0 |
Other policies in this category
Explore related policies at the same level.
- ComputerAllow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN.At least Windows Server 2016, Windows 10 Version 1703
- ComputerAllow enhanced PINs for startupAt least Windows Server 2008 R2 or Windows 7
- ComputerAllow network unlock at startupAt least Windows Server 2012 or Windows 8
- ComputerAllow Secure Boot for integrity validationAt least Windows Server 2012, Windows 8 or Windows RT
- ComputerChoose how BitLocker-protected operating system drives can be recoveredAt least Windows Server 2008 R2 or Windows 7
- ComputerConfigure minimum PIN length for startupAt least Windows Server 2008 R2 or Windows 7
- ComputerConfigure pre-boot recovery message and URLAt least Windows Server 2016 or Windows 10
- ComputerConfigure TPM platform validation profile (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2)Windows Server 2008, Windows 7, and Windows Vista
- ComputerConfigure TPM platform validation profile for native UEFI firmware configurationsAt least Windows Server 2012, Windows 8 or Windows RT
- ComputerConfigure use of hardware-based encryption for operating system drivesAt least Windows Server 2012, Windows 8 or Windows RT
- ComputerConfigure use of passwords for operating system drivesAt least Windows Server 2012 or Windows 8
- ComputerDisallow standard users from changing the PIN or passwordAt least Windows Server 2012 or Windows 8