updates

windows/security/operating-system-security/data-protection/bitlocker/includes/configure-tpm-platform-validation-profile-for-bios-based-firmware-configurations.md

@@ -7,7 +7,48 @@ ms.topic: include
 
 ### Configure TPM platform validation profile for BIOS-based firmware configurations
 
-This policy setting allows you to configure how the computer's Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key. This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker has already been turned on with TPM protection. Important: This group policy only applies to computers with BIOS configurations or to computers with UEFI firmware with a Compatibility Service Module (CSM) enabled. Computers using a native UEFI firmware configuration store different values into the Platform Configuration Registers (PCRs). Use the "Configure TPM platform validation profile for native UEFI firmware configurations" group policy setting to configure the TPM PCR profile for computers using native UEFI firmware. If you enable this policy setting before turning on BitLocker, you can configure the boot components that the TPM will validate before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM will not release the encryption key to unlock the drive and the computer will instead display the BitLocker Recovery console and require that either the recovery password or recovery key be provided to unlock the drive. If you disable or do not configure this policy setting, BitLocker uses the default platform validation profile or the platform validation profile specified by the setup script. A platform validation profile consists of a set of Platform Configuration Register (PCR) indices ranging from 0 to 23. The default platform validation profile secures the encryption key against changes to the Core Root of Trust of Measurement (CRTM), BIOS, and Platform Extensions (PCR 0), the Option ROM Code (PCR 2), the Master Boot Record (MBR) Code (PCR 4), the NTFS Boot Sector (PCR 8), the NTFS Boot Block (PCR 9), the Boot Manager (PCR 10), and the BitLocker Access Control (PCR 11). Warning: Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending upon inclusion or exclusion (respectively) of the PCRs.
+This policy setting determines what values the TPM measures when it validates early boot components before it unlocks an operating system drive on a computer with a BIOS configuration or with UEFI firmware that has the Compatibility Support Module (CSM) enabled.
+
+- When enabled , the boot components that the TPM validates before unlocking access to the BitLocker-encrypted operating system drive can be configured. If any of these components change while BitLocker protection is in effect, then the TPM doesn't release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.
+- When disabled or not configured, the TPM uses the default platform validation profile or the platform validation profile that is specified by the setup script.
+
+This policy setting doesn't apply if the computer doesn't have a compatible TPM or if BitLocker has already been turned on with TPM protection.
+
+> [!IMPORTANT]
+> This Group Policy setting only applies to computers with BIOS configurations or to computers with UEFI firmware with the CSM enabled. Computers that use a native UEFI firmware configuration store different values in the Platform Configuration Registers (PCRs). Use the **Configure TPM platform validation profile for native UEFI firmware configurations** policy setting to configure the TPM PCR profile for computers that use native UEFI firmware.
+
+A platform validation profile consists of a set of PCR indices that range from 0 to 23. Each PCR index represents a specific measurement that the TPM validates during early boot. The default platform validation profile secures the encryption key against changes to the following PCRs:
+
+|PCR|Description|
+|-|-|
+|PCR 0|Core root-of-trust for measurement, BIOS, and platform extensions|
+|PCR 2|Option ROM code|
+|PCR 4|Master Boot Record (MBR) code|
+|PCR 8|NTFS boot sector|
+|PCR 9|NTFS boot block|
+|PCR 10|Boot manager|
+|PCR 11|BitLocker access control|
+
+> [!NOTE]
+> Changing from the default platform validation profile affects the security and manageability of a computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.
+
+The following list identifies all of the available PCRs:
+
+|PCR|Description|
+|-|-|
+| PCR 0 | Core root-of-trust for measurement, BIOS, and platform extensions|
+| PCR 1 | Platform and motherboard configuration and data.|
+| PCR 2 | Option ROM code|
+| PCR 3 | Option ROM data and configuration|
+| PCR 4 | Master Boot Record (MBR) code|
+| PCR 5 | Master Boot Record (MBR) partition table|
+| PCR 6 | State transition and wake events|
+| PCR 7 | Computer manufacturer-specific|
+| PCR 8 | NTFS boot sector|
+| PCR 9 | NTFS boot block|
+| PCR 10 | Boot manager|
+| PCR 11 | BitLocker access control|
+| PCR 12-23 | Reserved for future use |
 
 |  | Path |
 |--|--|

windows/security/operating-system-security/data-protection/bitlocker/includes/configure-tpm-platform-validation-profile-for-native-uefi-firmware-configurations.md

@@ -7,7 +7,59 @@ ms.topic: include
 
 ### Configure TPM platform validation profile for native UEFI firmware configurations
 
-This policy setting allows you to configure how the computer's Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key. This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker has already been turned on with TPM protection. Important: This group policy only applies to computers with a native UEFI firmware configuration. Computers with BIOS or UEFI firmware with a Compatibility Service Module (CSM) enabled store different values into the Platform Configuration Registers (PCRs). Use the "Configure TPM platform validation profile for BIOS-based firmware configurations" group policy setting to configure the TPM PCR profile for computers with BIOS configurations or computers with UEFI firmware with a CSM enabled. If you enable this policy setting before turning on BitLocker, you can configure the boot components that the TPM will validate before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM will not release the encryption key to unlock the drive and the computer will instead display the BitLocker Recovery console and require that either the recovery password or recovery key be provided to unlock the drive. If you disable or do not configure this policy setting, BitLocker uses the default platform validation profile for the available hardware or the platform validation profile specified by the setup script. A platform validation profile consists of a set of Platform Configuration Register (PCR) indices ranging from 0 to 23. On PCs that lack Secure Boot State (PCR 7) support, the default platform validation profile secures the encryption key against changes to the core system firmware executable code (PCR 0), extended or pluggable executable code (PCR 2), boot manager (PCR 4), and the BitLocker access control (PCR 11). When Secure Boot State (PCR7) support is available, the default platform validation profile secures the encryption key using Secure Boot State (PCR 7) and the BitLocker access control (PCR 11). Warning: Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending upon inclusion or exclusion (respectively) of the PCRs. Specifically, setting this policy with PCR 7 omitted, will override the "Allow Secure Boot for integrity validation" group policy, preventing BitLocker from using Secure Boot for platform or Boot Configuration Data (BCD) integrity validation. Setting this policy may result in BitLocker recovery when firmware is updated. If you set this policy to include PCR 0, suspend BitLocker prior to applying firmware updates. It is recommended to not configure this policy, to allow Windows to select the PCR profile for the best combination of security and usability based on the available hardware on each PC.
+This policy setting determines what values the TPM measures when it validates early boot components before unlocking an operating system drive on a computer with native UEFI firmware configurations.
+
+- If you enable this policy setting before turning on BitLocker, you can configure the boot components that the TPM will validate before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM will not release the encryption key to unlock the drive and the computer will instead display the BitLocker Recovery console and require that either the recovery password or recovery key be provided to unlock the drive
+- If you disable or do not configure this policy setting, BitLocker uses the default platform validation profile for the available hardware or the platform validation profile specified by the setup script
+
+|**Conflicts**|Setting this policy with PCR 7 omitted overrides the **Allow Secure Boot for integrity validation** Group Policy setting, and it prevents BitLocker from using Secure Boot for platform or Boot Configuration Data (BCD) integrity validation. <BR><BR> If an environment uses TPM and Secure Boot for platform integrity checks, this policy is configured. <BR><BR> For more information about PCR 7, see [About the Platform Configuration Register (PCR)](#about-the-platform-configuration-register-pcr) in this article.|
+
+#### Reference: Configure TPM platform validation profile for native UEFI firmware configurations
+
+This policy setting doesn't apply if the computer doesn't have a compatible TPM or if BitLocker is already turned on with TPM protection.
+
+> [!IMPORTANT]
+> This group policy setting only applies to computers with a native UEFI firmware configuration. Computers with BIOS or UEFI firmware with a Compatibility Support Module (CSM) enabled store different values in the Platform Configuration Registers (PCRs). Use the **Configure TPM platform validation profile for BIOS-based firmware configurations** Group Policy setting to configure the TPM PCR profile for computers with BIOS configurations or for computers with UEFI firmware with a CSM enabled.
+
+A platform validation profile consists of a set of PCR indices ranging from 0 to 23. The default platform validation profile secures the encryption key against changes to the following PCRs:
+
+|PCR|Description|
+|-|-|
+| PCR 0 | Core System Firmware executable code|
+| PCR 2 | Extended or pluggable executable code|
+| PCR 4 | Boot Manager|
+| PCR 11 | BitLocker access control|
+
+> [!NOTE]
+> When Secure Boot State (PCR7) support is available, the default platform validation profile secures the encryption key using Secure Boot State (PCR 7) and the BitLocker access control (PCR 11).
+
+The following list identifies all of the available PCRs:
+
+|PCR|Description|
+|-|-|
+| PCR 0 | Core System Firmware executable code|
+| PCR 1 | Core System Firmware data|
+| PCR 2 | Extended or pluggable executable code|
+| PCR 3 | Extended or pluggable firmware data|
+| PCR 4 | Boot Manager|
+| PCR 5 | GPT/Partition Table|
+| PCR 6 | Resume from S4 and S5 Power State Events|
+| PCR 7 | Secure Boot State|
+| PCR 8 | Initialized to 0 with no Extends (reserved for future use)|
+| PCR 9 | Initialized to 0 with no Extends (reserved for future use)|
+| PCR 10 | Initialized to 0 with no Extends (reserved for future use)|
+| PCR 11 | BitLocker access control|
+| PCR 12 | Data events and highly volatile events|
+| PCR 13 | Boot Module Details|
+| PCR 14 | Boot Authorities|
+| PCR 15 - 23 | Reserved for future use
+
+> [!WARNING]
+> Changing from the default platform validation profile affects the security and manageability of a computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.
+>
+> Setting this policy with PCR 7 omitted, will override the *Allow Secure Boot for integrity validation* policy, preventing BitLocker from using Secure Boot for platform or Boot Configuration Data (BCD) integrity validation.
+>
+> Setting this policy may result in BitLocker recovery when firmware is updated. If you set this policy to include PCR 0, suspend BitLocker prior to applying firmware updates. It is recommended to not configure this policy, to allow Windows to select the PCR profile for the best combination of security and usability based on the available hardware on each device.
 
 |  | Path |
 |--|--|

windows/security/operating-system-security/data-protection/bitlocker/includes/enable-use-of-bitlocker-authentication-requiring-preboot-keyboard-input-on-slates.md

@@ -7,7 +7,20 @@ ms.topic: include
 
 ### Enable use of BitLocker authentication requiring preboot keyboard input on slates
 
-This policy setting allows users to turn on authentication options that require user input from the pre-boot environment, even if the platform lacks pre-boot input capability. The Windows touch keyboard (such as that used by tablets) isn't available in the pre-boot environment where BitLocker requires additional information such as a PIN or Password. If you enable this policy setting, devices must have an alternative means of pre-boot input (such as an attached USB keyboard). If this policy is not enabled, the Windows Recovery Environment must be enabled on tablets to support the entry of the BitLocker recovery password. When the Windows Recovery Environment is not enabled and this policy is not enabled, you cannot turn on BitLocker on a device that uses the Windows touch keyboard. Note that if you do not enable this policy setting, options in the "Require additional authentication at startup" policy might not be available on such devices. These options include:  - Configure TPM startup PIN: Required/Allowed  - Configure TPM startup key and PIN: Required/Allowed  - Configure use of passwords for operating system drives.
+This policy setting allows users to turn on authentication options that require user input from the pre-boot environment, even if the platform lacks pre-boot input capability. The Windows touch keyboard (such as that used by tablets) isn't available in the pre-boot environment where BitLocker requires additional information such as a PIN or Password.
+
+- If you enable this policy setting, devices must have an alternative means of pre-boot input (such as an attached USB keyboard).
+- If this policy isn't enabled, the Windows Recovery Environment must be enabled on tablets to support the entry of the BitLocker recovery password.
+
+It's recommended that administrators enable this policy only for devices that are verified to have an alternative means of preboot input, such as attaching a USB keyboard.
+
+When the Windows Recovery Environment (WinRE) isn't enabled and this policy isn't enabled, BitLocker can't be turned on a device that uses the Windows touch keyboard.
+
+If this policy setting isn't enabled, the following options in the **Require additional authentication at startup** policy might not be available:
+
+- Configure TPM startup PIN: Required and Allowed
+- Configure TPM startup key and PIN: Required and Allowed
+- Configure use of passwords for operating system drives
 
 |  | Path |
 |--|--|