This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 11%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESC%3C/text%3E%3C/svg%3E)
I saw that in my BIOS, under Trusted Computing, there were mutiple SHA PCR Bank options. Only one was enabled by default, SHA-1, however the BIOS had support for other two types of SHA PCR Banks which were SHA-256 and SHA-384.
I tried searching high and low for information on these, but the only informative one was from Microsoft Learn and it didn't clarify much about what I wanted to know.
So my question is: do I need to reset my TPM key to enable all these three SHA PCR Banks to work? If so or not, what do I need to do to get it to work?
By reset, I mean going into tpm.msc and clicking "Clear TPM".
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi Soda,
Thanks for your post. Based on my research, from the official article, it must ship with SHA-256 PCR banks and implement PCRs 0 through 23 for SHA-256. Note that it is acceptable to ship TPMs with a single switchable PCR bank that can be utilized for SHA-256 measurements.
Reference:
Understand PCR banks on TPM 2.0 devices
Best Regards,
Ian Xue
If the Answer is helpful, please click "Accept Answer" and upvote it.
So if my implesments 256 from 0 to 23, I can turn the others without any problems? Because if I keep 256 enabled, then go and enable 1 and 384 after, I still have the key from 256; at least that's what I understand from the article.
Also, I made a mistake in my post - the default enabled SHA is 256 and not 1. 1 and 384 are not enabled by default (Optimized Defaults from the BIOS).
However, what are the advantages and/or disadvantages of enabling or disabling SHA-384 PCRs, considering that they're not required to be enabled by default?
