We posted an article earlier about configuration settings in BitLocker. We covered most of the tabs from the GPO configuration settings. If you investigated the BitLocker Administrative Template you may noticed a final configuration you can adjust.

This is the "Configure TPM Platform validation profiles"

This GPO configures a specific aspect of the BitLocker configuration. Lets first review what happens when you enable BitLocker.

Once you initiate the BitLocker, a key is generated. This key is save to the TPM, AD, and or a USB or external source. This is the key that the computer uses to encrypt the hard drive. Now this key needs to be available whenever we want to read or write data from the hard drive. There are several ways we can do this.

1) Store the key in a TPM Chip. this is the most secure way to store the key. When you put a key in the TPM chip Windows will survey several configuration settings on the computer to generate a second key. (Yes we now have 2 keys) This second key is generated by reading values from several components during Windows Startup. Ex: The Bios configuration, the boot configuration, the master boot record, and several others. When the computer is booted up the boot process needs to get the BitLocker key out of the TPM chip. In order to do this it first must recreate the 2nd key that "guards" the 1st key. If any of the boot environment has changed, as it would if you changed the hard drive to an new computer, the BitLocker boot program will ask you to either provide the key using a USB key, or to type it in manually.

2) Store the key on a USB Drive. This allows people who don't have a TPM to use BitLocker. However if someone steals your USB key along with your laptop they would still be able to access your laptop. It is recommended that you store a backup copy of the BitLocker key on a usb key, but that you keep it in a separate location away from your computer. (Even if you have a TPM chip this should be the standard practice)

3) Store the key on paper, and type it in on every body. This is by far the most inconvenient way to store a BitLocker key. They are quite long, and it would be annoying to type in 128bit or 256bit long key every time you booted up.

This really leaves option 1 as your best option. As mentioned in option 1 we generate a second key that "seals" the first BitLocker key in the TPM chip. Now what are the startup components that you use?

This GPO policy lists the available options.

The PCRs or Platform Configuration Registers are the startup areas that BitLocker will check when you boot up. The more PCRs you choose to use the more secure your BitLocker key will be. However the caveat is that the more PCRs you use the less flexible your configuration will be. If you modify any of the listed elements on a regular basis you may have to reset your BitLocker Encryption when they change. This can be a lengthily process.

The best way to find out what settings are best for you is to set the option you want, then set your drive to encrypt itself using BitLocker IMPORTANT: Backup you Encryption key to USB.  As soon as the encrypting drive windows appears click pause. Restart your computer. if the computer restarts without asking for the BitLocker encryption key you are good to go. As added tests try your most common applications, or consider running some of your standards tasks/maintenance on your PC. After each test reboot the computer to make sure that the BitLocker startup environment hasn't been changed.