Udostępnij za pośrednictwem


BCD Settings and BitLocker

 

Applies To: Windows 8.1, Windows Server 2012 R2, Windows Server 2012, Windows 8

When protecting data at rest on an operating system volume, during the boot process BitLocker verifies that the security sensitive boot configuration data (BCD) settings have not changed since BitLocker was last enabled, resumed, or recovered.

BitLocker and BCD Settings

In Windows 7 and Windows Server 2008 R2, BitLocker validated nearly all BCD settings with the winload, winresume, and memtest prefixes. However, this high degree of validation caused BitLocker to go into recovery mode for benign setting changes, for example, when applying a language pack BitLocker would enter recovery.

In Windows 8, Windows Server 2012, and later operating systems BitLocker narrows the set of BCD settings validated to reduce the chance of benign changes causing a BCD validation problem. If you believe that there is a risk in excluding a particular BCD setting from the validation profile, you can increase BCD validation coverage to suit your validation preferences. Alternatively, if a default BCD setting is persistently triggering recovery for benign changes, then you can exclude that BCD setting from the validation profile.

When secure boot is enabled

Computers with UEFI firmware can use Secure Boot to provide enhanced boot security. When BitLocker is able to use Secure Boot for platform and BCD integrity validation, as defined by the Allow Secure Boot for integrity validation group policy setting, the Use enhanced Boot Configuration Data validation profile group policy is ignored.

One of the benefits of using Secure Boot is that it can correct BCD settings during boot without triggering recovery events. Secure Boot enforces the same BCD settings as BitLocker. Secure Boot BCD enforcement is not configurable from within the operating system.

Customizing BCD validation settings

To modify the BCD settings BitLocker validates the IT Pro will add or exclude BCD settings from the platform validation profile by enabling and configuring the Use enhanced Boot Configuration Data validation profile Group Policy setting.

For the purposes of BitLocker validation, BCD settings are associated with a specific set of Microsoft boot applications. BCD settings are either associated with a specific boot application or can apply to all boot applications by associating a prefix to the BCD setting entered in the Group Policy setting. Prefix values include:

  • winload

  • winresume

  • memtest

  • all

All BCD settings are specified by combining the prefix value with either a hexadecimal (hex) value or a “friendly name.”

The BCD setting hex value is reported when BitLocker enters recovery mode and is stored in the event log (event ID 523). The hex value uniquely identifies which BCD setting caused the recovery event.

You can quickly obtain the friendly name for the BCD settings on your computer by using the command “bcdedit.exe /enum all”.

Not all BCD settings have friendly names, for those settings the hex value is the only way to configure an exclusion policy.

When specifying BCD values in the Use enhanced Boot Configuration Data validation profile Group Policy setting, use the following syntax:

  • Prefix the setting with the boot application prefix

  • Append a colon ‘:’

  • Append either the hex value or the friendly name

  • If entering more than one BCD setting, you will need to enter each BCD setting on a new line

For example, either “winload:hypervisordebugport” or “winload:0x250000f4” yield the same value.

Setting that applies to all boot applications may be applied only to an individual application, however the reverse is not true. For example, one can specify either: “all:locale” or “winresume:locale”, but as the bcd setting “win-pe” does not apply to all boot applications, “winload:winpe” is valid, but “all:winpe” is not valid. The setting that controls boot debugging (“bootdebug” or 0x16000010) will always be validated and will have no effect if it is included in the provided fields.

Note

Take care when configuring BCD entries in the Group Policy setting. The Local Group Policy Editor does not validate the correctness of the BCD entry. BitLocker will fail to be enabled if the Group Policy setting specified is invalid.

Default BCD validation profile

The following table contains the default BCD validation profile used by BitLocker in Windows 8, Windows Server 2012, and later operating systems:

Hex Value

Prefix

Friendly Name

0x11000001

all

device

0x12000002

all

path

0x12000030

all

loadoptions

0x16000010

all

bootdebug

0x16000040

all

advancedoptions

0x16000041

all

optionsedit

0x16000048

all

nointegritychecks

0x16000049

all

testsigning

0x16000060

all

isolatedcontext

0x1600007b

all

forcefipscrypto

0x22000002

winload

systemroot

0x22000011

winload

kernel

0x22000012

winload

hal

0x22000053

winload

evstore

0x25000020

winload

nx

0x25000052

winload

restrictapiccluster

0x26000022

winload

winpe

0x26000025

winload

lastknowngood

0x26000081

winload

safebootalternateshell

0x260000a0

winload

debug

0x260000f2

winload

hypervisordebug

0x26000116

winload

hypervisorusevapic

0x21000001

winresume

filedevice

0x22000002

winresume

filepath

0x26000006

winresume

debugoptionenabled

Full list of friendly names for ignored BCD settings

This following is a full list of BCD settings with friendly names which are ignored by default. These settings are not part of the default BitLocker validation profile, but can be added if you see a need to validate any of these settings before allowing a BitLocker–protected operating system drive to be unlocked.

Note

Additional BCD settings exist that have hex values but do not have friendly names. These settings are not included in this list.

Hex Value

Prefix

Friendly Name

0x12000004

all

description

0x12000005

all

locale

0x12000016

all

targetname

0x12000019

all

busparams

0x1200001d

all

key

0x1200004a

all

fontpath

0x14000006

all

inherit

0x14000008

all

recoverysequence

0x15000007

all

truncatememory

0x1500000c

all

firstmegabytepolicy

0x1500000d

all

relocatephysical

0x1500000e

all

avoidlowmemory

0x15000011

all

debugtype

0x15000012

all

debugaddress

0x15000013

all

debugport

0x15000014

all

baudrate

0x15000015

all

channel

0x15000018

all

debugstart

0x1500001a

all

hostip

0x1500001b

all

port

0x15000022

all

emsport

0x15000023

all

emsbaudrate

0x15000042

all

keyringaddress

0x15000047

all

configaccesspolicy

0x1500004b

all

integrityservices

0x1500004c

all

volumebandid

0x15000051

all

initialconsoleinput

0x15000052

all

graphicsresolution

0x15000065

all

displaymessage

0x15000066

all

displaymessageoverride

0x16000009

all

recoveryenabled

0x1600000b

all

badmemoryaccess

0x1600000f

all

traditionalkseg

0x16000017

all

noumex

0x1600001c

all

dhcp

0x1600001e

all

vm

0x16000020

all

bootems

0x16000046

all

graphicsmodedisabled

0x16000050

all

extendedinput

0x16000053

all

restartonfailure

0x16000054

all

highestmode

0x1600006c

all

bootuxdisabled

0x16000072

all

nokeyboard

0x16000074

all

bootshutdowndisabled

0x1700000a

all

badmemorylist

0x17000077

all

allowedinmemorysettings

0x22000040

all

fverecoveryurl

0x22000041

all

fverecoverymessage

0x31000003

all

ramdisksdidevice

0x32000004

all

ramdisksdipath

0x35000001

all

ramdiskimageoffset

0x35000002

all

ramdisktftpclientport

0x35000005

all

ramdiskimagelength

0x35000007

all

ramdisktftpblocksize

0x35000008

all

ramdisktftpwindowsize

0x36000006

all

exportascd

0x36000009

all

ramdiskmcenabled

0x3600000a

all

ramdiskmctftpfallback

0x3600000b

all

ramdisktftpvarwindow

0x21000001

winload

osdevice

0x22000013

winload

dbgtransport

0x220000f9

winload

hypervisorbusparams

0x22000110

winload

hypervisorusekey

0x23000003

winload

resumeobject

0x25000021

winload

pae

0x25000031

winload

removememory

0x25000032

winload

increaseuserva

0x25000033

winload

perfmem

0x25000050

winload

clustermodeaddressing

0x25000055

winload

x2apicpolicy

0x25000061

winload

numproc

0x25000063

winload

configflags

0x25000066

winload

groupsize

0x25000071

winload

msi

0x25000072

winload

pciexpress

0x25000080

winload

safeboot

0x250000a6

winload

tscsyncpolicy

0x250000c1

winload

driverloadfailurepolicy

0x250000c2

winload

bootmenupolicy

0x250000e0

winload

bootstatuspolicy

0x250000f0

winload

hypervisorlaunchtype

0x250000f3

winload

hypervisordebugtype

0x250000f4

winload

hypervisordebugport

0x250000f5

winload

hypervisorbaudrate

0x250000f6

winload

hypervisorchannel

0x250000f7

winload

bootux

0x250000fa

winload

hypervisornumproc

0x250000fb

winload

hypervisorrootprocpernode

0x250000fd

winload

hypervisorhostip

0x250000fe

winload

hypervisorhostport

0x25000100

winload

tpmbootentropy

0x25000113

winload

hypervisorrootproc

0x25000115

winload

hypervisoriommupolicy

0x25000120

winload

xsavepolicy

0x25000121

winload

xsaveaddfeature0

0x25000122

winload

xsaveaddfeature1

0x25000123

winload

xsaveaddfeature2

0x25000124

winload

xsaveaddfeature3

0x25000125

winload

xsaveaddfeature4

0x25000126

winload

xsaveaddfeature5

0x25000127

winload

xsaveaddfeature6

0x25000128

winload

xsaveaddfeature7

0x25000129

winload

xsaveremovefeature

0x2500012a

winload

xsaveprocessorsmask

0x2500012b

winload

xsavedisable

0x25000130

winload

claimedtpmcounter

0x26000004

winload

stampdisks

0x26000010

winload

detecthal

0x26000024

winload

nocrashautoreboot

0x26000030

winload

nolowmem

0x26000040

winload

vga

0x26000041

winload

quietboot

0x26000042

winload

novesa

0x26000043

winload

novga

0x26000051

winload

usephysicaldestination

0x26000054

winload

uselegacyapicmode

0x26000060

winload

onecpu

0x26000062

winload

maxproc

0x26000064

winload

maxgroup

0x26000065

winload

groupaware

0x26000070

winload

usefirmwarepcisettings

0x26000090

winload

bootlog

0x26000091

winload

sos

0x260000a1

winload

halbreakpoint

0x260000a2

winload

useplatformclock

0x260000a3

winload

forcelegacyplatform

0x260000a4

winload

useplatformtick

0x260000a5

winload

disabledynamictick

0x260000b0

winload

ems

0x260000c3

winload

onetimeadvancedoptions

0x260000c4

winload

onetimeoptionsedit

0x260000e1

winload

disableelamdrivers

0x260000f8

winload

hypervisordisableslat

0x260000fc

winload

hypervisoruselargevtlb

0x26000114

winload

hypervisordhcp

0x21000005

winresume

associatedosdevice

0x25000007

winresume

bootux

0x25000008

winresume

bootmenupolicy

0x26000003

winresume

customsettings

0x26000004

winresume

pae

0x25000001

memtest

passcount

0x25000002

memtest

testmix

0x25000005

memtest

stridefailcount

0x25000006

memtest

invcfailcount

0x25000007

memtest

matsfailcount

0x25000008

memtest

randfailcount

0x25000009

memtest

chckrfailcount

0x26000003

memtest

cacheenable

0x26000004

memtest

failuresenabled