diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c
index 9b5683433f3..2310475e22b 100644
--- a/src/shared/tpm2-util.c
+++ b/src/shared/tpm2-util.c
@@ -5797,9 +5797,9 @@ int tpm2_unseal(Tpm2Context *c,
         return 0;
 }
 
-static TPM2_HANDLE generate_random_nv_index(void) {
-        return TPM2_NV_INDEX_UNASSIGNED_FIRST +
-                (TPM2_HANDLE) random_u64_range(TPM2_NV_INDEX_UNASSIGNED_LAST - TPM2_NV_INDEX_UNASSIGNED_FIRST + 1);
+static TPM2_HANDLE generate_random_pcrlock_nv_index(void) {
+        return TPM2_NV_INDEX_PCRLOCK_FIRST +
+                (TPM2_HANDLE) random_u64_range(TPM2_NV_INDEX_PCRLOCK_LAST - TPM2_NV_INDEX_PCRLOCK_FIRST + 1);
 }
 
 int tpm2_define_policy_nv_index(
@@ -5833,7 +5833,7 @@ int tpm2_define_policy_nv_index(
                 if (requested_nv_index != 0)
                         nv_index = requested_nv_index;
                 else
-                        nv_index = generate_random_nv_index();
+                        nv_index = generate_random_pcrlock_nv_index();
 
                 TPM2B_NV_PUBLIC public_info = {
                         .size = sizeof_field(TPM2B_NV_PUBLIC, nvPublic),
diff --git a/src/shared/tpm2-util.h b/src/shared/tpm2-util.h
index 3a8565bac5d..26c8f10a74a 100644
--- a/src/shared/tpm2-util.h
+++ b/src/shared/tpm2-util.h
@@ -485,13 +485,21 @@ enum {
 int tpm2_pcr_index_from_string(const char *s) _pure_;
 const char* tpm2_pcr_index_to_string(int pcr) _const_;
 
-/* The first and last NV index handle that is not registered to any company, as per TCG's "Registry of
+
+/* The first and last NV index handle that is assigned to the systemd project as per TCG's "Registry of
  * Reserved TPM 2.0 Handles and Localities", section 2.2.2. */
-#define TPM2_NV_INDEX_UNASSIGNED_FIRST UINT32_C(0x01800000)
-#define TPM2_NV_INDEX_UNASSIGNED_LAST  UINT32_C(0x01BFFFFF)
+#define TPM2_NV_INDEX_SYSTEMD_FIRST UINT32_C(0x01800400)
+#define TPM2_NV_INDEX_SYSTEMD_LAST  UINT32_C(0x018005FF)
 
 #if HAVE_TPM2
 /* Verify that the above is indeed a subset of the general NV Index range */
-assert_cc(TPM2_NV_INDEX_UNASSIGNED_FIRST >= TPM2_NV_INDEX_FIRST);
-assert_cc(TPM2_NV_INDEX_UNASSIGNED_LAST <= TPM2_NV_INDEX_LAST);
+assert_cc(TPM2_NV_INDEX_SYSTEMD_FIRST >= TPM2_NV_INDEX_FIRST);
+assert_cc(TPM2_NV_INDEX_SYSTEMD_LAST  <= TPM2_NV_INDEX_LAST);
 #endif
+
+/* A subrange we use to store pcrlock policies in */
+#define TPM2_NV_INDEX_PCRLOCK_FIRST UINT32_C(0x01800400)
+#define TPM2_NV_INDEX_PCRLOCK_LAST  UINT32_C(0x0180041F)
+
+assert_cc(TPM2_NV_INDEX_PCRLOCK_FIRST >= TPM2_NV_INDEX_SYSTEMD_FIRST);
+assert_cc(TPM2_NV_INDEX_PCRLOCK_LAST  <= TPM2_NV_INDEX_SYSTEMD_LAST);