Boot Configuration Data settings and BitLocker
This article describes the Boot Configuration Data (BCD) settings that are used by BitLocker.
During the boot process, BitLocker verifies that the security sensitive BCD settings haven't changed since BitLocker was last enabled, resumed, or recovered.
If it's believed that there's a risk in excluding a particular BCD setting from the validation profile, you can include that BCD setting in the BCD validation coverage to suit the preferences for validation.
If the default BCD setting persistently triggers a recovery for benign changes, you can exclude that BCD setting from the validation coverage.
Important
Devices with UEFI firmware can use secure boot to provide enhanced boot security. When BitLocker is able to use secure boot for platform and BCD integrity validation, as defined by the Allow Secure Boot for integrity validation policy setting, the Use enhanced Boot Configuration Data validation profile policy is ignored.
One of the benefits of using secure boot is that it can correct BCD settings during boot without triggering recovery events. Secure boot enforces the same BCD settings as BitLocker. Secure boot BCD enforcement isn't configurable from within the operating system.
Customize BCD validation settings
To modify the BCD settings that are validated by BitLocker, the administrator will add or exclude BCD settings from the platform validation profile by enabling and configuring the Use enhanced Boot Configuration Data validation profile policy setting.
For the purposes of BitLocker validation, BCD settings are associated with a specific set of Microsoft boot applications. These BCD settings can also be applied to the other Microsoft boot applications that aren't part of the set to which the BCD settings are already applicable for. This setting can be done by attaching any of the following prefixes to the BCD settings that are being entered in the group policy settings dialog:
- winload
- winresume
- memtest
- all of the above
All BCD settings are specified by combining the prefix value with either a hexadecimal (hex) value or a friendly name.
The BCD setting hex value is reported when BitLocker enters recovery mode and is stored in the event log (event ID 523). The hex value uniquely identifies the BCD setting that caused the recovery event.
You can quickly obtain the friendly name for the BCD settings on a computer by using the command bcdedit.exe /enum all.
Not all BCD settings have friendly names. For those settings without a friendly name, the hex value is the only way to configure an exclusion policy.
When specifying BCD values in the Use enhanced Boot Configuration Data validation profile policy setting, use the following syntax:
- Prefix the setting with the boot application prefix
- Append a colon
: - Append either the hex value or the friendly name
- If entering more than one BCD setting, each BCD setting will need to be entered on a new line
For example, either "winload:hypervisordebugport" or "winload:0x250000f4" yields the same value.
A setting that applies to all boot applications may be applied only to an individual application. However, the reverse isn't true. For example, one can specify either "all:locale" or "winresume:locale", but as the BCD setting "win-pe" doesn't apply to all boot applications, "winload:winpe" is valid, but "all:winpe" isn't valid. The setting that controls boot debugging ("bootdebug" or 0x16000010) will always be validated and will have no effect if it's included in the provided fields.
Note
Take care when configuring BCD entries in the policy setting. The Local Group Policy Editor doesn't validate the correctness of the BCD entry. BitLocker fails to be enabled if the policy setting specified is invalid.
Default BCD validation profile
The following table contains the default BCD validation profile used by BitLocker:
| Hex Value | Prefix | Friendly Name |
|---|---|---|
| 0x11000001 | all | device |
| 0x12000002 | all | path |
| 0x12000030 | all | loadoptions |
| 0x16000010 | all | bootdebug |
| 0x16000040 | all | advancedoptions |
| 0x16000041 | all | optionsedit |
| 0x16000048 | all | nointegritychecks |
| 0x16000049 | all | testsigning |
| 0x16000060 | all | isolatedcontext |
| 0x1600007b | all | forcefipscrypto |
| 0x22000002 | winload | systemroot |
| 0x22000011 | winload | kernel |
| 0x22000012 | winload | hal |
| 0x22000053 | winload | evstore |
| 0x25000020 | winload | nx |
| 0x25000052 | winload | restrictapiccluster |
| 0x26000022 | winload | winpe |
| 0x26000025 | winload | lastknowngood |
| 0x26000081 | winload | safebootalternateshell |
| 0x260000a0 | winload | debug |
| 0x260000f2 | winload | hypervisordebug |
| 0x26000116 | winload | hypervisorusevapic |
| 0x21000001 | winresume | filedevice |
| 0x22000002 | winresume | filepath |
| 0x26000006 | winresume | debugoptionenabled |
Full list of friendly names for ignored BCD settings
The following list is a full list of BCD settings with friendly names, which are ignored by default. These settings aren't part of the default BitLocker validation profile, but can be added if you see a need to validate any of these settings before allowing a BitLocker-protected operating system drive to be unlocked.
Note
Additional BCD settings exist that have hex values but do not have friendly names. These settings are not included in this list.
| Hex Value | Prefix | Friendly Name |
|---|---|---|
| 0x12000004 | all | description |
| 0x12000005 | all | locale |
| 0x12000016 | all | targetname |
| 0x12000019 | all | busparams |
| 0x1200001d | all | key |
| 0x1200004a | all | fontpath |
| 0x14000006 | all | inherit |
| 0x14000008 | all | recoverysequence |
| 0x15000007 | all | truncatememory |
| 0x1500000c | all | firstmegabytepolicy |
| 0x1500000d | all | relocatephysical |
| 0x1500000e | all | avoidlowmemory |
| 0x15000011 | all | debugtype |
| 0x15000012 | all | debugaddress |
| 0x15000013 | all | debugport |
| 0x15000014 | all | baudrate |
| 0x15000015 | all | channel |
| 0x15000018 | all | debugstart |
| 0x1500001a | all | hostip |
| 0x1500001b | all | port |
| 0x15000022 | all | emsport |
| 0x15000023 | all | emsbaudrate |
| 0x15000042 | all | keyringaddress |
| 0x15000047 | all | configaccesspolicy |
| 0x1500004b | all | integrityservices |
| 0x1500004c | all | volumebandid |
| 0x15000051 | all | initialconsoleinput |
| 0x15000052 | all | graphicsresolution |
| 0x15000065 | all | displaymessage |
| 0x15000066 | all | displaymessageoverride |
| 0x15000081 | all | logcontrol |
| 0x16000009 | all | recoveryenabled |
| 0x1600000b | all | badmemoryaccess |
| 0x1600000f | all | traditionalkseg |
| 0x16000017 | all | noumex |
| 0x1600001c | all | dhcp |
| 0x1600001e | all | vm |
| 0x16000020 | all | bootems |
| 0x16000046 | all | graphicsmodedisabled |
| 0x16000050 | all | extendedinput |
| 0x16000053 | all | restartonfailure |
| 0x16000054 | all | highestmode |
| 0x1600006c | all | bootuxdisabled |
| 0x16000072 | all | nokeyboard |
| 0x16000074 | all | bootshutdowndisabled |
| 0x1700000a | all | badmemorylist |
| 0x17000077 | all | allowedinmemorysettings |
| 0x22000040 | all | fverecoveryurl |
| 0x22000041 | all | fverecoverymessage |
| 0x31000003 | all | ramdisksdidevice |
| 0x32000004 | all | ramdisksdipath |
| 0x35000001 | all | ramdiskimageoffset |
| 0x35000002 | all | ramdisktftpclientport |
| 0x35000005 | all | ramdiskimagelength |
| 0x35000007 | all | ramdisktftpblocksize |
| 0x35000008 | all | ramdisktftpwindowsize |
| 0x36000006 | all | exportascd |
| 0x36000009 | all | ramdiskmcenabled |
| 0x3600000a | all | ramdiskmctftpfallback |
| 0x3600000b | all | ramdisktftpvarwindow |
| 0x21000001 | winload | osdevice |
| 0x22000013 | winload | dbgtransport |
| 0x220000f9 | winload | hypervisorbusparams |
| 0x22000110 | winload | hypervisorusekey |
| 0x23000003 | winload | resumeobject |
| 0x25000021 | winload | pae |
| 0x25000031 | winload | removememory |
| 0x25000032 | winload | increaseuserva |
| 0x25000033 | winload | perfmem |
| 0x25000050 | winload | clustermodeaddressing |
| 0x25000055 | winload | x2apicpolicy |
| 0x25000061 | winload | numproc |
| 0x25000063 | winload | configflags |
| 0x25000066 | winload | groupsize |
| 0x25000071 | winload | msi |
| 0x25000072 | winload | pciexpress |
| 0x25000080 | winload | safeboot |
| 0x250000a6 | winload | tscsyncpolicy |
| 0x250000c1 | winload | driverloadfailurepolicy |
| 0x250000c2 | winload | bootmenupolicy |
| 0x250000e0 | winload | bootstatuspolicy |
| 0x250000f0 | winload | hypervisorlaunchtype |
| 0x250000f3 | winload | hypervisordebugtype |
| 0x250000f4 | winload | hypervisordebugport |
| 0x250000f5 | winload | hypervisorbaudrate |
| 0x250000f6 | winload | hypervisorchannel |
| 0x250000f7 | winload | bootux |
| 0x250000fa | winload | hypervisornumproc |
| 0x250000fb | winload | hypervisorrootprocpernode |
| 0x250000fd | winload | hypervisorhostip |
| 0x250000fe | winload | hypervisorhostport |
| 0x25000100 | winload | tpmbootentropy |
| 0x25000113 | winload | hypervisorrootproc |
| 0x25000115 | winload | hypervisoriommupolicy |
| 0x25000120 | winload | xsavepolicy |
| 0x25000121 | winload | xsaveaddfeature0 |
| 0x25000122 | winload | xsaveaddfeature1 |
| 0x25000123 | winload | xsaveaddfeature2 |
| 0x25000124 | winload | xsaveaddfeature3 |
| 0x25000125 | winload | xsaveaddfeature4 |
| 0x25000126 | winload | xsaveaddfeature5 |
| 0x25000127 | winload | xsaveaddfeature6 |
| 0x25000128 | winload | xsaveaddfeature7 |
| 0x25000129 | winload | xsaveremovefeature |
| 0x2500012a | winload | xsaveprocessorsmask |
| 0x2500012b | winload | xsavedisable |
| 0x25000130 | winload | claimedtpmcounter |
| 0x26000004 | winload | stampdisks |
| 0x26000010 | winload | detecthal |
| 0x26000024 | winload | nocrashautoreboot |
| 0x26000030 | winload | nolowmem |
| 0x26000040 | winload | vga |
| 0x26000041 | winload | quietboot |
| 0x26000042 | winload | novesa |
| 0x26000043 | winload | novga |
| 0x26000051 | winload | usephysicaldestination |
| 0x26000054 | winload | uselegacyapicmode |
| 0x26000060 | winload | onecpu |
| 0x26000062 | winload | maxproc |
| 0x26000064 | winload | maxgroup |
| 0x26000065 | winload | groupaware |
| 0x26000070 | winload | usefirmwarepcisettings |
| 0x26000090 | winload | bootlog |
| 0x26000091 | winload | sos |
| 0x260000a1 | winload | halbreakpoint |
| 0x260000a2 | winload | useplatformclock |
| 0x260000a3 | winload | forcelegacyplatform |
| 0x260000a4 | winload | useplatformtick |
| 0x260000a5 | winload | disabledynamictick |
| 0x260000b0 | winload | ems |
| 0x260000c3 | winload | onetimeadvancedoptions |
| 0x260000c4 | winload | onetimeoptionsedit |
| 0x260000e1 | winload | disableelamdrivers |
| 0x260000f8 | winload | hypervisordisableslat |
| 0x260000fc | winload | hypervisoruselargevtlb |
| 0x26000114 | winload | hypervisordhcp |
| 0x21000005 | winresume | associatedosdevice |
| 0x25000007 | winresume | bootux |
| 0x25000008 | winresume | bootmenupolicy |
| 0x26000003 | winresume | customsettings |
| 0x26000004 | winresume | pae |
| 0x25000001 | memtest | passcount |
| 0x25000002 | memtest | testmix |
| 0x25000005 | memtest | stridefailcount |
| 0x25000006 | memtest | invcfailcount |
| 0x25000007 | memtest | matsfailcount |
| 0x25000008 | memtest | randfailcount |
| 0x25000009 | memtest | chckrfailcount |
| 0x26000003 | memtest | cacheenable |
| 0x26000004 | memtest | failuresenabled |