Windows 10: BitLocker error - PCR7 binding is not supported

Hello, I have an issue with BitLocker not working and advising "PCR7 binding is not supported"I've undertaken extensive research on the internet to resolve the issue and drawing a blank.This laptop was previously using BitLocker without issue prior to me wiping the system and doing a clean install When attempting to enable BitLocker on a HP Elitebook G3 1030 running Windows 10 Pro the following error message is receive following reboot. "BitLocker could not be enabled.The data drive specified is not set to automatically unlock on the current computer and cannot be unlocked aut

:)

 

PCR7 Configuration Binding Not Possible

I've got Windows 10 Home, Version 10.0.18363 Build 18363. I haven't been having any specific problems, but tonight I looked at my System Information and on the Summary page I noticed a couple of entries that I really don't understand.

• PCR7 Configuration Binding Not Possible
• Device Encryption Support Reasons for failed automatic device encryption: PCR7 binding is not supported, Hardware Security Test Interface failed and device is not Modern Standby, Un-allowed DMA capable bus/device(s) detected

Do I have a problem that I'm unaware of? Should I be concerned? What do I do to fix it if necessary? Would appreciate some expert guidance here. Thanks.

 

PCR7 Configuration Binding Not Possible, Bitlocker event IDs 813, 834

In our office we are trying to swap over from using McAfee's encryption tool to managing Bitlocker via Workspace One (formerly Airwatch). I was able to successfully apply Bitlocker to two Lenovo models T470s. After those worked, I pushed the same profile
over to a test T480s. It went into Bitlocker recover on every boot. When I went into the system information, I got the following entry for the Device Encryption Support Reasons for failed automatic device encryption field: "PCR7 binding is not supported, Un-allowed
DMA capable bus/device(s)"

I was able to fix the DMA issue by adding the "PCI Express Upstream Switch Port" under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DmaSecurity\AllowedBuses with the appropriate key value. What I can't get working is the PCR7 binding. No matter
what I try I still get "PCR7 Configuration Binding Not Possible" on the T480 and T490 models. Whenever I try to encrypt it I get the following messages in the event logs for Bitlocker API:

Event 813 - "BitLocker cannot use Secure Boot for integrity because the expected TCG Log entry for variable 'CurrentPolicy' is missing or invalid."
Event 834 - "BitLocker determined that the TCG log is invalid for use of Secure Boot. The filtered TCG log for PCR[7] is included in this event."

I have updated the OS and BIOS. I have ensured that the the TPM module and Secure Boot are enabled in the BIOS. I have even toggled them off and back on again to make sure they are on.

The TPM module appears to be correct:
wmic /namespace:\\root\cimv2\security\microsofttpm path win32_tpm get * /format:list

IsActivated_InitialValue=TRUE
IsEnabled_InitialValue=TRUE
IsOwned_InitialValue=TRUE
ManufacturerId=1229346816
ManufacturerIdTxt=IFX
ManufacturerVersion=7.63.3353.0
ManufacturerVersionFull20=7.63.13.6400
ManufacturerVersionInfo=SLB9670
PhysicalPresenceVersionInfo=1.3
SpecVersion=2.0, 0, 1.16

I've confirmed the SecureBoot both in the system info, manually in the BIOS, and by using the following powershell commands:
PS C:\WINDOWS\system32> Confirm-SecureBootUEFI
True
PS C:\WINDOWS\system32> Get-SecureBootPolicy

Publisher Version
--------- -------
77fa9abd-0359-4d32-bd60-28f4e78f784b 1

If I try to push Bitlocker and run "Manage-bde -protectors -get %systemdrive%" I get the PCR values 0, 2, 4, 11. If I do it on the t470s I've encrypted I get the proper PCR 7, 11.

Both are Microsoft Windows 10 Pro version 1909, all current patches applied.

I suspect something with our image is causing the issue or issues. Normally I would try to pave over our image with a fresh install of Windows 10 to confirm, but with our main office closed I won't be able to re-apply the image to the device after doing
so.

Does anyone have any tips on how to isolate exactly what is causing the PCR7 bind issue?

 

Bitlocker keeps crashing my PC

See if troubleshooting this error message makes a difference:

Code:

Modify the Dell suggested steps to MSI: (see video)
https://www.dell.com/community/XPS/X...7412306/page/2


https://docs.microsoft.com/en-us/win...%20DMA%20ports.