deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 10:23:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

revert PCR4

Browse Source
This commit is contained in:
Paolo Matarazzo
2024-08-05 13:38:25 -04:00
parent 8388cc6b4c
commit 3579d634d7
4 changed files with 298 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
windows/security/operating-system-security/data-protection/bitlocker/countermeasures.md
View File

@ -96,20 +96,6 @@ An attacker might modify the boot manager configuration database (BCD), which is
An attacker might also replace the entire operating system disk while preserving the platform hardware and firmware, and could then extract a protected BitLocker key blob from the metadata of the victim OS partition. The attacker could then attempt to unseal that BitLocker key blob by calling the TPM API from an operating system under their control. This can't succeed because when Windows seals the BitLocker key to the TPM, it does it with a PCR 11 value of 0. To successfully unseal the blob, PCR 11 in the TPM must have a value of 0. However, when the boot manager passes the control to any boot loader (legitimate or rogue), it always changes PCR 11 to a value of 1. Since the PCR 11 value is guaranteed to be different after exiting the boot manager, the attacker can't unlock the BitLocker key.
To prevent boot manger roll-back attacks, Windows updates released on and after July 2024 changed the default PCR Validation Profile for **UEFI with Secure Boot** from `7, 11` to `4, 7, 11`.
The PCR values map to:
- `PCR 4: Boot Manager`
- `PCR 7: Secure Boot State`
- `PCR 11: BitLocker access control`
> [!TIP]
> To check what PCRs are in use, execute the following command:
> ```cmd
> manage-bde.exe -protectors -get c:
> ```
## Attacker countermeasures
The following sections cover mitigations for different types of attackers.

3
windows/security/operating-system-security/data-protection/bitlocker/includes/allow-secure-boot-for-integrity-validation.md
View File

@ -26,6 +26,3 @@ When this policy is enabled and the hardware is capable of using Secure Boot for
|--|--|
| **CSP** | Not available |
| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** |
> [!NOTE]
> To prevent boot manger roll-back attacks, Windows updates released on and after July 2024 changed the default PCR Validation Profile for **UEFI with Secure Boot** from `7, 11` to `4, 7, 11`.

2
windows/security/operating-system-security/data-protection/bitlocker/includes/configure-tpm-platform-validation-profile-for-native-uefi-firmware-configurations.md
View File

@ -26,8 +26,6 @@ A platform validation profile consists of a set of PCR indices ranging from 0 to
> [!NOTE]
> When Secure Boot State (PCR7) support is available, the default platform validation profile secures the encryption key using Secure Boot State (PCR 7) and the BitLocker access control (PCR 11).
>
> To prevent boot manger roll-back attacks, Windows updates released on and after July 2024 changed the default PCR Validation Profile for **UEFI with Secure Boot** from `7, 11` to `4, 7, 11`.
The following list identifies all of the available PCRs: