profile
viewpoint

Ask questionsHow to identify which TPM 2.0 PCR Bank is being used

On https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices, there is no documented way to identify which PCR Bank is being used. For example, if you have a TPM 2.0 machine with SHA-1 and SHA-256 PCR Banks, it would be good to document how you can identify which one is being used.

Example text:

How can I identify which PCR bank is being used?

You can identify which PCR bank is currently used by Windows by looking at the registry.

Registry information

Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices

DWORD: TPMActivePCRBanks

Defines which PCR banks are currently active

Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices

DWORD: TPMDigestAlgID

Algorithm ID of the PCR bank that Windows is currently using. (For the full list of supported algorithms, see the TCG Algorithm Registry.)

MicrosoftDocs/windows-itpro-docs

Answer questions RonaldAi

@Justinha and @alrosado: how about this language?

How can I identify which PCR bank is being used?

A TPM can be configured to have multiple PCR banks active. When BIOS is performing measurements it will do so into all active PCR banks, depending on its capability to make these measurements. BIOS may chose to deactivate PCR banks that it does not support or "cap" PCR banks that it does not support by extending a separator. The following registry value identifies which PCR banks are active.

Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices

DWORD: TPMActivePCRBanks

Defines which PCR banks are currently active, This is a bitmap defined in the TCG Algorithm Registry.

Windows checks which PCR banks are active and supported by the BIOS. Windows also checks if the measured boot log supports measurements for all active PCR banks. Windows will prefer the use of the SHA-256 bank for measurements and will fallback to SHA1 PCR bank if one of the pre-conditions is not met.

You can identify which PCR bank is currently used by Windows by looking at the registry.

Registry information

Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices

DWORD: TPMDigestAlgID

Algorithm ID of the PCR bank that Windows is currently using. (For the full list of supported algorithms, see the TCG Algorithm Registry.)

Windows only uses one PCR bank to continue boot measurements. All other active PCR banks will be extended with a separator to indicate that they are not used by Windows and measurements that appear to be from Windows should not be trusted.

useful!

Related questions

tdlrecover.exe - Windows 10.0.18362.XXX - TileDataLayer is deprecated hot 1
DisableEnterpriseAuthProxy=0 and Windows Defender ATP hot 1
CloudAssignedOobeConfig has a 1024 bitmap to skip keyboard layout hot 1
Documentation is wrong and does not work get this error hot 1
0x801c03f3 not listed hot 1
Give an example how to utilize RestrictedGroups feature hot 1
0x801c0451 not listed hot 1
InstallWindowsDefenderApplicationGuard hot 1
0x801c044f not listed... hot 1
Windows Hello certificates requires enabling a permitted strong authentication provider hot 1
Unknown OS architecture when runnig on non-english OS hot 1
FileExplorerNamespaceRestrictions hot 1
0x801c0451 not listed hot 1
whats the difference between "ProvisionedHomePages" and "ConfigureHomeButtonURL" hot 1
This policy must be wrapped in an Atomic command. hot 1
source:https://uonfu.com/
Github User Rank List