Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.
View products that this article applies to.
This document describes how to remedy the vulnerability impact in BitLocker TPM-based protectors.
The impact on other BitLocker protector methods has to be reviewed based on how the relevant secrets are protected. For example, if an external key to unlock BitLocker is protected to the TPM, refer to the advisory to analyze the impact. Remedying of these effects of the vulnerability is not in the scope of this document.
BitLocker uses the TPM seal and unseal operations together with the storage root key to protect BitLocker secrets on the operating system volume. The vulnerability affects the seal and unseal operations on TPM 1.2, but it does not affect the operations on TPM 2.0.
When TPM-based protector is used to protect the operating system volume, the security of the BitLocker protection is affected only if the TPM firmware version is 1.2.
To identify affected TPMs and TPM versions, see "2. Determine devices in your organization that are affected” under "Recommended Actions" in Microsoft Security Advisory ADV170012.
To check BitLocker status, run “manage-bde -status <OS volume letter:>” at a command prompt as an administrator of the computer.
Figure 1 Sample output of an operating system volume that is protected by both TPM protector and Recovery Password protector. (Device encryption is not affected by this TPM vulnerability.)
Follow these steps to remedy the vulnerability:
The following page provides a full command-line reference for manage-bde.exe:
https://technet.microsoft.com/en-us/library/ff829849(v=ws.11).aspx
Keywords: kbsurveynew, kbsecreview, kbsecvulnerability, kbsecurity, kbsecbulletin, atdownload, kblangall, kbfix, kbexpertiseinter, kbbug, kb, kbmustloc