Windows 10: PCR7 binding not possible - Bitlocker no longer functions

I have ported my windows installation to a larger drive... a straight clone.Everything works except for the fact that bitlocker no longer wants to encrypt the drives.Before cloning I had paused bitlocker... after cloning, i was actually still able to decrypt the drives for verification... but after that bitlocker no longer wants to turn on.Bitlocker service is active, is noted as required in the registry... but the control panel fails when trying to encrypt a drive.It seems to have something to do with the PCR7 binding?How can this be resolved?

:)

 

BitLocker error - PCR7 binding is not supported

Hello,



I have an issue with BitLocker not working and advising "PCR7 binding is not supported"

I've undertaken extensive research on the internet to resolve the issue and drawing a blank.

(This laptop was previously using BitLocker without issue prior to me wiping the system and doing a clean install)



When attempting to enable BitLocker on a HP Elitebook G3 1030 running Windows 10 Pro the following error message is receive following reboot.



"BitLocker could not be enabled.

The data drive specified is not set to automatically unlock on the current computer and cannot be unlocked automatically.

C: was not encrypted"



This error message occurs only when I configure BitLocker with the "System Check." (Checking the box when it asks).

The error message is received after reboot.

If I do not select the System Check, it works, but it prompts the user every single reboot to input the recovery key.



Apparently if BitLocker keeps asking for Recovery key at startup even after multiple attempts, one is trapped in a recovery key loop.

You may enter a BitLocker recovery key loop if your device TPM is configured to use PCR (Platform Configuration Register) values that are not the default values (PCR 7 & PCR 11) to which BitLocker binds.



Initial efforts to resolve the situation included:

• Clear the TPM via the BIOS
  
• Removing all partitions on the hard disk using Parted Magic
  
• Clean re-install of Windows 10 via Microsoft website installer
  
• Reset of the BIOS settings
  
• Reinstalling the latest BIOS update
  
• Verifying in the BIOS that Secure Boot is ENABLED
  

Following this I executed the advice from this Microsoft forum to reset TPM protectors

BitLocker Drive Encryption: The data drive specified is not set to automatically unlock - Microsoft Q&A

Basically this involved using command prompt to issue the following commands

1. "manage-bde -protectors -delete c: -t TPM"
   
2. "manage-bde -protectors -add c: -tpm"
   

Unfortunately this did not resolve the problem



Issuing the command "manage-bde -protectors -get c:" Reveals that my system is relying on PCR 0, 2, 4, 11 instead of PCR 7, 11



When running "System Information" as administrator the following key information about my system was returned

BIOS Mode = UEFI

Secure Boot State = On

PCR7 Configuration = Binding Not Possible

Device Encryption Support = Reason for failed automatic device encryption: PCR7 binding is not supported.



This website had some useful suggestion that were followed. PCR7 Binding Is Not Supported in Windows 11/10? [Fixed] - MiniTool

Step 1 = I ran "tpm.msc" and it advises "The TPM is ready to use"

Step 2 = The BIOS is configured with UEFI enabled and the system disk partition style is GPT

Step 3 = Secure Boot State = On (as per "System Information")

Step 4 = 4 In command prompt I ran the command "powercfg /a" and receive the message back

"The following sleep states are available on this system:

Standby (S0 Low Power Idle) Network Connected

Hibernate

Fast Startup"



When opening Event Viewer and selecting "Applications and Services Logs -> Microsoft -> Windows -> BitLocker-API -> Management" it lists a string of events with mostly alternating Event ID's as follows:

Event 834 (Information) - BitLocker determined that the TCG log is invalid for use of Secure Boot. The filtered TCG log for PCR[7] is included in this event.

Event 816 (Warning) - BitLocker cannot use Secure Boot for integrity because the TCG Log for PCR [7] contains invalid entries.



Out of desperation, I reached out to Microsoft support and one week later I'm still waiting for the next level of suport to contact me.



Does anyone have any advice of what else I can try to resolve this BitLocker issue?

 

PCR7 Configuration Binding Not Possible

I've got Windows 10 Home, Version 10.0.18363 Build 18363. I haven't been having any specific problems, but tonight I looked at my System Information and on the Summary page I noticed a couple of entries that I really don't understand.

• PCR7 Configuration Binding Not Possible
• Device Encryption Support Reasons for failed automatic device encryption: PCR7 binding is not supported, Hardware Security Test Interface failed and device is not Modern Standby, Un-allowed DMA capable bus/device(s) detected

Do I have a problem that I'm unaware of? Should I be concerned? What do I do to fix it if necessary? Would appreciate some expert guidance here. Thanks.

 

BitLocker error - PCR7 binding is not supported

Hello, Sherminator 2

Welcome to Microsoft Community.

I’m sorry to hear that you are having trouble with BitLocker. Based on your description, it seems that the certificates in Secure Boot are preventing binding (if there’s more than one root certificate, for instance, BitLocker won’t bind to PCR 7 because it cannot verify which root authority is the proper authority). Any other signature present on boot code will cause BitLocker to use TPM profile 0, 2, 4, 11 instead of 7, 11. In some cases, the binaries are signed with UEFI CA 2011 certificate, which will prevent you from binding BitLocker to PCR 7. You can find the details here: Windows Server shows PCR7 configuration as "Binding not possible" - Windows Server | Microsoft Learn

You can try to disable the UEFI CA 2011 certificate in your Secure Boot settings. This may allow BitLocker to bind to PCR 7 instead of PCR 0, 2, 4, 11. To disable the UEFI CA 2011 certificate in Secure Boot settings, you need to access the UEFI menu and find the Secure Boot setting. The Secure Boot setting is usually in either the Security tab, the Boot tab, or the Authentication tab. Once you find the Secure Boot setting, you may have an option to manage the certificates or customize the signature database. If so, you can select that option and look for the UEFI CA 2011 certificate in the list of certificates. You can then delete or disable that certificate and save your changes. However, this may also affect the functionality of some third-party applications or devices that rely on the UEFI CA 2011 certificate.

Alternatively, you can use Group Policy to force a custom binding profile that includes PCR 7 and excludes PCR 0, 2, 4. This may require some trial and error to find the optimal profile for your system:

• Open the Local Group Policy Editor (gpedit.msc) and go to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.
  
• Double-click the Configure TPM platform validation profile for BIOS-based firmware configurations or Configure TPM platform validation profile for native UEFI firmware configurations policy setting, depending on your system type.
  
• Select Enabled and then click Show next to the TPM validation profile option.
  
• In the Value column, enter the PCR indexes that you want to include in the custom binding profile, separated by commas. For example, if you want to include PCR 7 and exclude PCR 0, 2, 4, enter 7 as the value.
  
• Click OK and then click Apply to save the changes.
  

This policy setting will apply the custom binding profile to BitLocker when it is turned on for a drive. If BitLocker is already turned on, you may need to suspend and resume BitLocker protection for the policy setting to take effect.

Learn more about how to do so here: BitLocker Group Policy settings - Windows Security | Microsoft Learn

If the problem persists, it may be beyond the scope of issues that Microsoft Community can address. Microsoft Q&A, on the other hand, aims to support more advanced issues like yours and is the best resource for further assistance. You can share specific scenarios and ideas to help resolve the problem at Windows 10 - Microsoft Q&A. However, I will keep the thread open in Microsoft Community, as one of our volunteers may have additional insights that could be helpful to you.

Let me know if you have any other concerns.

Best regards

Yuhao Li

Microsoft Community Technical Support