We posted an article earlier about configuration settings in BitLocker. We covered most of the tabs from the GPO configuration settings. If you investigated the BitLocker Administrative Template you may noticed a final configuration you can adjust.

This is the “Configure TPM Platform validation profiles”

This GPO configures a specific aspect of the BitLocker configuration. Lets first review what happens when you enable BitLocker.

Once you initiate the BitLocker, a key is generated. This key is save to the TPM, AD, and or a USB or external source. This is the key that the computer uses to encrypt the hard drive. Now this key needs to be available whenever we want to read or write data from the hard drive. There are several ways we can do this.

1) Store the key in a TPM Chip. this is the most secure way to store the key. When you put a key in the TPM chip Windows will survey several configuration settings on the computer to generate a second key. (Yes we now have 2 keys) This second key is generated by reading values from several components during Windows Startup. Ex: The Bios configuration, the boot configuration, the master boot record, and several

…