From 48bdf6633d8f62f0cfdfb38fa4cea45519c522a4 Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Wed, 17 Apr 2019 10:40:41 +0300 Subject: [PATCH 1/4] added info https://github.com/MicrosoftDocs/windows-itpro-docs/issues/3012 --- .../tpm/switch-pcr-banks-on-tpm-2-0-devices.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md index eacf850aab..6835ee1323 100644 --- a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md +++ b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md @@ -50,6 +50,22 @@ As a result, if the currently used PCR bank is switched all keys that have been Before switching PCR banks you should suspend or disable BitLocker – or have your recovery key ready. For steps on how to switch PCR banks on your PC, you should contact your OEM or UEFI vendor. +## How can I identify which PCR bank is being used? + +You can identify which PCR bank is currently used by Windows by looking at the registry. + +Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices + +DWORD: TPMActivePCRBanks + +Defines which PCR banks are currently active. + +Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices + +DWORD: TPMDigestAlgID + +Algorithm ID of the PCR bank that Windows is currently using. + ## Related topics - [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics) From 116dcd29979860dbd1a1015648cc09f6ad8a07c1 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 26 Apr 2019 11:47:57 -0700 Subject: [PATCH 2/4] Update switch-pcr-banks-on-tpm-2-0-devices.md Adding revisions from our engineering partner --- .../switch-pcr-banks-on-tpm-2-0-devices.md | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md index 6835ee1323..a8241027c8 100644 --- a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md +++ b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md @@ -52,19 +52,19 @@ Before switching PCR banks you should suspend or disable BitLocker – or have y ## How can I identify which PCR bank is being used? +A TPM can be configured to have multiple PCR banks active. When BIOS is performing measurements it will do so into all active PCR banks, depending on its capability to make these measurements. BIOS may chose to deactivate PCR banks that it does not support or "cap" PCR banks that it does not support by extending a separator. The following registry value identifies which PCR banks are active. + +Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices
+DWORD: TPMActivePCRBanks
+Defines which PCR banks are currently active. This is a bitmap defined in the TCG Algorithm Registry.
+Windows checks which PCR banks are active and supported by the BIOS. Windows also checks if the measured boot log supports measurements for all active PCR banks. Windows will prefer the use of the SHA-256 bank for measurements and will fall back to SHA1 PCR bank if one of the pre-conditions is not met. + You can identify which PCR bank is currently used by Windows by looking at the registry. -Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices - -DWORD: TPMActivePCRBanks - -Defines which PCR banks are currently active. - -Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices - -DWORD: TPMDigestAlgID - -Algorithm ID of the PCR bank that Windows is currently using. +Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices
+DWORD: TPMDigestAlgID
+Algorithm ID of the PCR bank that Windows is currently using. (For the full list of supported algorithms, see the TCG Algorithm Registry.)
+Windows only uses one PCR bank to continue boot measurements. All other active PCR banks will be extended with a separator to indicate that they are not used by Windows and measurements that appear to be from Windows should not be trusted. ## Related topics From cd65e01ecc2823796e0c64990b626225499a12a7 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 26 Apr 2019 11:49:52 -0700 Subject: [PATCH 3/4] Update switch-pcr-banks-on-tpm-2-0-devices.md --- .../tpm/switch-pcr-banks-on-tpm-2-0-devices.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md index a8241027c8..25e1754f08 100644 --- a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md +++ b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md @@ -54,16 +54,16 @@ Before switching PCR banks you should suspend or disable BitLocker – or have y A TPM can be configured to have multiple PCR banks active. When BIOS is performing measurements it will do so into all active PCR banks, depending on its capability to make these measurements. BIOS may chose to deactivate PCR banks that it does not support or "cap" PCR banks that it does not support by extending a separator. The following registry value identifies which PCR banks are active. -Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices
-DWORD: TPMActivePCRBanks
-Defines which PCR banks are currently active. This is a bitmap defined in the TCG Algorithm Registry.
+- Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices
+- DWORD: TPMActivePCRBanks
+- Defines which PCR banks are currently active. This is a bitmap defined in the TCG Algorithm Registry.
Windows checks which PCR banks are active and supported by the BIOS. Windows also checks if the measured boot log supports measurements for all active PCR banks. Windows will prefer the use of the SHA-256 bank for measurements and will fall back to SHA1 PCR bank if one of the pre-conditions is not met. You can identify which PCR bank is currently used by Windows by looking at the registry. -Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices
-DWORD: TPMDigestAlgID
-Algorithm ID of the PCR bank that Windows is currently using. (For the full list of supported algorithms, see the TCG Algorithm Registry.)
+- Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices
+- DWORD: TPMDigestAlgID
+- Algorithm ID of the PCR bank that Windows is currently using. (For the full list of supported algorithms, see the TCG Algorithm Registry.)
Windows only uses one PCR bank to continue boot measurements. All other active PCR banks will be extended with a separator to indicate that they are not used by Windows and measurements that appear to be from Windows should not be trusted. ## Related topics From 70ccde012bbfe18d8e851d1781b545128fb04403 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 26 Apr 2019 12:01:24 -0700 Subject: [PATCH 4/4] Update switch-pcr-banks-on-tpm-2-0-devices.md edits --- .../tpm/switch-pcr-banks-on-tpm-2-0-devices.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md index 25e1754f08..5493d4428d 100644 --- a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md +++ b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md @@ -57,6 +57,7 @@ A TPM can be configured to have multiple PCR banks active. When BIOS is performi - Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices
- DWORD: TPMActivePCRBanks
- Defines which PCR banks are currently active. This is a bitmap defined in the TCG Algorithm Registry.
+ Windows checks which PCR banks are active and supported by the BIOS. Windows also checks if the measured boot log supports measurements for all active PCR banks. Windows will prefer the use of the SHA-256 bank for measurements and will fall back to SHA1 PCR bank if one of the pre-conditions is not met. You can identify which PCR bank is currently used by Windows by looking at the registry. @@ -64,6 +65,7 @@ You can identify which PCR bank is currently used by Windows by looking at the r - Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices
- DWORD: TPMDigestAlgID
- Algorithm ID of the PCR bank that Windows is currently using. (For the full list of supported algorithms, see the TCG Algorithm Registry.)
+ Windows only uses one PCR bank to continue boot measurements. All other active PCR banks will be extended with a separator to indicate that they are not used by Windows and measurements that appear to be from Windows should not be trusted. ## Related topics