Windows 10: Device standard encryption - PCR7 binding issue

Discus and support Device standard encryption - PCR7 binding issue in AntiVirus, Firewalls and System Security to solve the problem; I've windows 10 Home edition, build 19042. I want to encrypt my drives, but in system information, under encryption support, this message is shown:... Discussion in 'AntiVirus, Firewalls and System Security' started by NEONGASHMEN, May 6, 2021.

  1. Device standard encryption - PCR7 binding issue


    I've windows 10 Home edition, build 19042. I want to encrypt my drives, but in system information, under encryption support, this message is shown: Device Encryption Support Reasons for failed automatic device encryption: PCR7 binding is not supported, Hardware Security Test Interface failed and device is not Modern Standby, Un-allowed DMA capable bus/devices detected, Disabled by policy I've TPM version 2.0 and secure boot is enabled. Is it possible to resolve this issue and is it possible to enable device encryption somehow ?

    :)
     
    NEONGASHMEN, May 6, 2021
    #1
  2. LShel42 Win User

    PCR7 Configuration Binding Not Possible

    I've got Windows 10 Home, Version 10.0.18363 Build 18363. I haven't been having any specific problems, but tonight I looked at my System Information and on the Summary page I noticed a couple of entries that I really don't understand.

    • PCR7 Configuration Binding Not Possible
    • Device Encryption Support Reasons for failed automatic device encryption: PCR7 binding is not supported, Hardware Security Test Interface failed and device is not Modern Standby, Un-allowed DMA capable bus/device(s) detected
    Do I have a problem that I'm unaware of? Should I be concerned? What do I do to fix it if necessary? Would appreciate some expert guidance here. Thanks.
     
    LShel42, May 6, 2021
    #2
  3. BalajiP63 Win User
    Device encryption menu not found in settings (Windows 10 Home)

    Hi,

    I turned off the device encryption in settings of Windows 10 home edition. Once, I did that, I was unable to undo that. It took several hours for decryption. After completion, when tried to turn it on again, the message showed, 'Something went wrong,
    please try later'. So, I restarted and after that I could not find the Device Encryption menu in the Settings under Update and Security. I couldn't find it by searching that in the taskbar search option. In the System Information, under item 'Device Encryption
    Support', the value shown is 'Reasons for failed automatic device encryption: PCM is not usable, PCR7 binding is not supported, PCM is not usable', and under item 'PCR7 Configuration", the value shown is 'PCR7 binding not possible'.

    How can I find the device encryption option again and turn it on back again? Please help me with some suggestions. Thanks, in advance.
     
    BalajiP63, May 6, 2021
    #3
  4. GJoker Win User

    Device standard encryption - PCR7 binding issue

    PCR7 Configuration Binding Not Possible, Bitlocker event IDs 813, 834

    In our office we are trying to swap over from using McAfee's encryption tool to managing Bitlocker via Workspace One (formerly Airwatch). I was able to successfully apply Bitlocker to two Lenovo models T470s. After those worked, I pushed the same profile
    over to a test T480s. It went into Bitlocker recover on every boot. When I went into the system information, I got the following entry for the Device Encryption Support Reasons for failed automatic device encryption field: "PCR7 binding is not supported, Un-allowed
    DMA capable bus/device(s)"

    I was able to fix the DMA issue by adding the "PCI Express Upstream Switch Port" under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DmaSecurity\AllowedBuses with the appropriate key value. What I can't get working is the PCR7 binding. No matter
    what I try I still get "PCR7 Configuration Binding Not Possible" on the T480 and T490 models. Whenever I try to encrypt it I get the following messages in the event logs for Bitlocker API:

    Event 813 - "BitLocker cannot use Secure Boot for integrity because the expected TCG Log entry for variable 'CurrentPolicy' is missing or invalid."
    Event 834 - "BitLocker determined that the TCG log is invalid for use of Secure Boot. The filtered TCG log for PCR[7] is included in this event."

    I have updated the OS and BIOS. I have ensured that the the TPM module and Secure Boot are enabled in the BIOS. I have even toggled them off and back on again to make sure they are on.

    The TPM module appears to be correct:
    wmic /namespace:\\root\cimv2\security\microsofttpm path win32_tpm get * /format:list

    IsActivated_InitialValue=TRUE
    IsEnabled_InitialValue=TRUE
    IsOwned_InitialValue=TRUE
    ManufacturerId=1229346816
    ManufacturerIdTxt=IFX
    ManufacturerVersion=7.63.3353.0
    ManufacturerVersionFull20=7.63.13.6400
    ManufacturerVersionInfo=SLB9670
    PhysicalPresenceVersionInfo=1.3
    SpecVersion=2.0, 0, 1.16

    I've confirmed the SecureBoot both in the system info, manually in the BIOS, and by using the following powershell commands:
    PS C:\WINDOWS\system32> Confirm-SecureBootUEFI
    True
    PS C:\WINDOWS\system32> Get-SecureBootPolicy

    Publisher Version
    --------- -------
    77fa9abd-0359-4d32-bd60-28f4e78f784b 1

    If I try to push Bitlocker and run "Manage-bde -protectors -get %systemdrive%" I get the PCR values 0, 2, 4, 11. If I do it on the t470s I've encrypted I get the proper PCR 7, 11.

    Both are Microsoft Windows 10 Pro version 1909, all current patches applied.

    I suspect something with our image is causing the issue or issues. Normally I would try to pave over our image with a fresh install of Windows 10 to confirm, but with our main office closed I won't be able to re-apply the image to the device after doing
    so.

    Does anyone have any tips on how to isolate exactly what is causing the PCR7 bind issue?
     
    GJoker, May 6, 2021
    #4
Thema:

Device standard encryption - PCR7 binding issue

Loading...
  1. Device standard encryption - PCR7 binding issue - Similar Threads - Device standard encryption

  2. Device Encryption

    in AntiVirus, Firewalls and System Security
    Device Encryption: Hi team,The OS in my laptop is Windows 10 Home, and it has Device Encryption. When I tried to dual boot my laptop with ubuntu, it said that Bitlocker Encryption is enabled on the drive, so to install Ubuntu turn off the Bitlocker.So I have turned off the bitlocker and dual...
  3. Device Encryption

    in AntiVirus, Firewalls and System Security
    Device Encryption: Hi! Does anyone know of a simple way to install device encryption Bitlocker or something else on Windows Home 10? I thought I found a workaround and while following the steps which included "taking control of the hard drive" which included going to the Advanced Security...
  4. TPM is not usable, PCR7 binding is not supported, Hardware Security Test Interface failed...

    in Windows 10 BSOD Crashes and Debugging
    TPM is not usable, PCR7 binding is not supported, Hardware Security Test Interface failed...: I was trying to fix my latency problems, for the last year, and even tough I tried everything posted by Igor Leyko, very helpful, nothing helps. Here's screenshots on Google Photos: https://photos.app.goo.gl/EaD9q4kCSz5QbZsT6 But, while looking at the System Information...
  5. Device Encryption

    in AntiVirus, Firewalls and System Security
    Device Encryption: When I go on Start Menu >>> System Information >>> Device Encryption Support the value of this item is "Evaluation Needed to Display". What does that mean? Windows 10 Home Edition...
  6. device encryption

    in Windows 10 Customization
    device encryption: Hi I am charan when turning on device encryption it shows that it is temporarily suspended and will automatically resume after restart but even after restarting it tells the same thing can I know how to turn on device encryption Thank you...
  7. PCR7 Configuration Binding Not Possible, Bitlocker event IDs 813, 834

    in AntiVirus, Firewalls and System Security
    PCR7 Configuration Binding Not Possible, Bitlocker event IDs 813, 834: In our office we are trying to swap over from using McAfee's encryption tool to managing Bitlocker via Workspace One formerly Airwatch. I was able to successfully apply Bitlocker to two Lenovo models T470s. After those worked, I pushed the same profile over to a test T480s....
  8. PCR7

    in Windows 10 Customization
    PCR7: What is PCR7 elevation and do I need it? https://answers.microsoft.com/en-us/windows/forum/all/pcr7/9ffaebcc-0ffa-4844-8841-83b0fff93a37
  9. PCR7 Configuration Binding Not Possible

    in Windows 10 BSOD Crashes and Debugging
    PCR7 Configuration Binding Not Possible: I've got Windows 10 Home, Version 10.0.18363 Build 18363. I haven't been having any specific problems, but tonight I looked at my System Information and on the Summary page I noticed a couple of entries that I really don't understand. PCR7 Configuration Binding Not...
  10. Device Encryption

    in AntiVirus, Firewalls and System Security
    Device Encryption: I am using Win 10 Home edition and thought that one of thebenfits to the pro version was encrypting the hard drive. I see that this version of Windows allows for device encryption. Can you tell me the difference between the encrytions and should I use it on this version?...