top of page
Search
Writer's pictureTenaka

Understanding Windows 11, TPMs, PCRs, Secure Boot, Bitlocker and Where They Fail

Updated: Dec 20, 2024

Understanding Windows 11, TPMs, PCRs, and Security Features

Windows 11 requires Trusted Platform Module (TPM) 2.0 as part of its foundation for enhanced security, alongside features like Secure Boot, BitLocker, and Virtualization-Based Security (VBS). With these tools, Microsoft aims to shield devices from evolving threats in an increasingly hostile digital landscape.


This article takes a closer look at these features and highlights their limitations, particularly in the context of remote attacks.


Trusted Platform Module (TPM): The Basics

A Trusted Platform Module (TPM) is a specialized chip designed to enhance security by providing cryptographic operations, safeguarding sensitive data, and ensuring system integrity. It can:

  • Generate, store, and manage cryptographic keys.

  • Validate the integrity of the boot process using Platform Configuration Registers (PCRs).

  • Support security features like BitLocker and VBS.


Types of TPM

  • Discrete TPM: A dedicated hardware chip soldered to the motherboard.

  • Firmware TPM (fTPM): Built into the CPU and implemented via firmware.


Checking TPM Status

  • Windows Security App: Go to Settings > Privacy & Security > Windows Security, then navigate to Device Security > Security Processor.


  • TPM Management Console: Open the Run dialog, type tpm.msc, and press Enter to check the status and specification version.

  • Command Line: Run tpmtool getdeviceinformation to retrieve detailed TPM data,

    • TPM Version: The specification version of the TPM (e.g., 2.0).

    • Manufacturer Information: The manufacturer ID and version of the TPM chip.

    • Supported Algorithms: Lists cryptographic algorithms supported by the TPM (e.g., RSA, SHA-256, etc.).

    • PCR Banks: The hash algorithms used for Platform Configuration Registers (PCRs), such as SHA-1 or SHA-256.

    • PCR Information: Indicates which PCRs are active and their supported configurations.

    • TPM Status: The current operational state of the TPM, such as whether it's enabled, activated, or ready for use.


  • PowerShell Cmdlets:

    • Get-Tpm: Displays TPM status and version.


Platform Configuration Registers (PCRs): Ensuring Boot Integrity

PCRs in the TPM store hashed measurements of the System state during boot, providing a cryptographic log of boot-time events. They ensure integrity by providing a cryptographic record of boot-time events


Uses of PCRs

  • Secure Boot: Validates the bootloader, ensuring only trusted code is executed.

  • BitLocker: Uses PCR values to confirm system integrity. Mismatched values (e.g., from tampering) trigger recovery mode.


Commonly Used PCRs

  • PCR 0: Measurements from the BIOS, firmware, and Core Root of Trust for Measurement (CRTM).

  • PCR 2: Reflects UEFI Secure Boot state.

  • PCR 4: Tracks bootloader integrity.

  • PCR 7: Represents Secure Boot configuration.


What is Secure Boot?

Secure Boot, a UEFI feature that ensures only signed and trusted bootloaders are executed during system startup. The TPM strengthens this process by securely measuring and storing key boot components' hashes in its Platform Configuration Registers (PCRs). These measurements create a tamper-proof record of the boot sequence.


How Secure Boot Works:

  • Digital Signatures: Each component in the boot chain (e.g., firmware, bootloader) must have a valid digital signature.


  • Key Hierarchies:

    • Platform Key (PK): Authorizes changes to Secure Boot settings.

    • Key Exchange Key (KEK): Manages authorized signatures.

    • Allowed and Forbidden Lists: Specify trusted and untrusted binaries.


Secure Boot and PCRs:

  • PCR 7 reflects the Secure Boot state. Tampering with Secure Boot settings results in a different PCR value.


Checking Secure Boot Status:

  • Open the System Information tool (msinfo32).

  • Look for Secure Boot State in the report.


What is BitLocker?

BitLocker is a full-disk encryption feature that leverages TPM to secure data. It ensures that data remains inaccessible if the system is tampered with or the drive is removed.


How BitLocker Uses TPM:

  • Stores encryption keys securely in TPM.

  • Validates PCR values during boot. If the values match the expected measurements, the drive is unlocked.


Configuring BitLocker:

  • Open Explorer, navigate to C:

  • Right click on C: and select 'Manage Bitlocker.

  • Turn on Bitlocker and follow the prompts.


What is Virtualization-Based Security (VBS) and HVCI?

Virtualization-Based Security (VBS) uses hardware virtualization to create isolated memory regions for security-critical operations, enhancing system security.


VBS Features:

  • Hypervisor-Enforced Code Integrity (HVCI):

    • Ensures only signed and verified drivers and binaries are executed.

    • Relies on TPM for key storage and Secure Boot for integrity validation.

  • Credential Guard:

    • Protects Domain user credentials by isolating LSASS (Local Security Authority Subsystem Service) processes.


Enabling VBS:

  • Check hardware support:

    • Virtualization support in BIOS/UEFI.

    • Run msinfo32 and look for "Hyper-V Requirements."

  • Enable VBS:

    • Open Windows Security > Device Security > Core Isolation.

    • Enable Memory Integrity.


Verifying VBS Status:

  • Run msinfo32.

  • Look for Virtualization-Based Security in the report.


What These Features Don’t Protect

While these tools provide strong defenses against physical tampering, they fall short against remote threats:

  • Credential Theft - VBS's Credential Guard protects domain credentials but doesn’t secure local account credentials, which can be dumped from memory. Additionally, techniques like pass-the-hash allow attackers to use stolen hashes without decryption.

  • Application Exploits - TPM protections don’t block malware that exploits software vulnerabilities. Attackers can bypass these defenses by targeting unpatched applications.

  • Hardware-Level Attacks - Physical attacks on the Low Pin Count (LPC) bus could extract BitLocker keys if no PIN is used.

  • Network-Based Attacks - Features like Secure Boot and TPM don’t address phishing, network infiltration, or lateral movement.


Building a Comprehensive Security Strategy

To address these gaps, organizations should bolster TPM-based features with additional measures:

  • Application Control - Tools like Windows Defender Application Control (WDAC) enforce strict policies, blocking unauthorized applications and malware.

  • Regular Patching - Keeping systems and applications up-to-date mitigates risks from known vulnerabilities.

  • Multifactor Authentication (MFA) - Adds a layer of protection against credential theft and unauthorized access.

  • Endpoint Detection and Response (EDR) - Monitors for suspicious activity and stops advanced attacks.


The Takeaway

Windows 11’s TPM-centric security features excel at defending against physical attacks, but they can’t stop remote exploits, credential theft, or network-based threats on their own. Think of them as a sturdy lock—effective at preventing break-ins, but not enough if attackers exploit the open Window. A layered security approach is essential to stay ahead of sophisticated threats.

70 views0 comments

Recent Posts

See All

Comments

Rated 0 out of 5 stars.
No ratings yet

Add a rating
bottom of page