I recently had an issue at work where we saw a not-insignificant number of our Z4G5 workstations regularly going into recovery mode after the weekly reboot. As far as we were aware at the time, they were configured no differently to any of our other computers, laptop desktop or mini-workstation, so this was confusing. What follows is what worked for us and depending on your environment, you might have other restrictions or security settings.
Following some digging, we discovered that these machines had a different PCR Validation Profile. Most of our machines are set to 7,11 whereas these were set 0,2,4,11. You can check the validation profile of a machine with the following command:
Manage-bde -protectors -get C:
Where C: is the drive letter.
SOLUTION:
We also noticed that Pre-Boot DMA Protection was turned off in the BIOS on these workstations. We turned this setting back on, cleared the TPM and restarted the machine. This reset the protectors back to 7,11 and the machines now continue to boot normally.
I appreciate there is an element missing here – why was it entering recovery mode in the first place? In many instances, 0,2,4,11 is a perfectly acceptable default. Truth is at the moment, this is still unclear and HP weren’t able to provide a good explanation here either but a clue might lie in the last paragraph in the link below (re ‘Secure Boot validation’).
FURTHER INFO:
Indices can be configured via registry/GPO policy. Briefly, the default PCRs used by BitLocker in the BIOS are 0, 2, 4, 8, 9, 10, 11:
- PCR0: Dynamic Root of Trust, BIOS Code, Platform Extensions
- PCR2: ROM Code
- PCR4: MBR Code
- PCR8: NTFS Boot Sector
- PCR9: NTFS Boot Block
- PCR10: NTFS Boot Manager
- PCR11: BitLocker’s Volume Master Key (VMK) and its critical components
For a more detailed explanation of this and what the different indices relate to, see Configure TPM platform validation profile for native UEFI firmware configurations.
