Windows 10: PCR7 Configuration Binding Not Possible, Bitlocker event IDs 813, 834

In our office we are trying to swap over from using McAfee's encryption tool to managing Bitlocker via Workspace One formerly Airwatch. I was able to successfully apply Bitlocker to two Lenovo models T470s. After those worked, I pushed the same profile over to a test T480s. It went into Bitlocker recover on every boot. When I went into the system information, I got the following entry for the Device Encryption Support Reasons for failed automatic device encryption field: "PCR7 binding is not supported, Un-allowed DMA capable bus/devices"

I was able to fix the DMA issue by adding the "PCI Express Upstream Switch Port" under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DmaSecurity\AllowedBuses with the appropriate key value. What I can't get working is the PCR7 binding. No matter what I try I still get "PCR7 Configuration Binding Not Possible" on the T480 and T490 models. Whenever I try to encrypt it I get the following messages in the event logs for Bitlocker API:

Event 813 - "BitLocker cannot use Secure Boot for integrity because the expected TCG Log entry for variable 'CurrentPolicy' is missing or invalid."
Event 834 - "BitLocker determined that the TCG log is invalid for use of Secure Boot. The filtered TCG log for PCR[7] is included in this event."

I have updated the OS and BIOS. I have ensured that the the TPM module and Secure Boot are enabled in the BIOS. I have even toggled them off and back on again to make sure they are on.

The TPM module appears to be correct:
wmic /namespace:\\root\cimv2\security\microsofttpm path win32_tpm get * /format:list

IsActivated_InitialValue=TRUE
IsEnabled_InitialValue=TRUE
IsOwned_InitialValue=TRUE
ManufacturerId=1229346816
ManufacturerIdTxt=IFX
ManufacturerVersion=7.63.3353.0
ManufacturerVersionFull20=7.63.13.6400
ManufacturerVersionInfo=SLB9670
PhysicalPresenceVersionInfo=1.3
SpecVersion=2.0, 0, 1.16

I've confirmed the SecureBoot both in the system info, manually in the BIOS, and by using the following powershell commands:
PS C:\WINDOWS\system32> Confirm-SecureBootUEFI
True
PS C:\WINDOWS\system32> Get-SecureBootPolicy

Publisher Version
--------- -------
77fa9abd-0359-4d32-bd60-28f4e78f784b 1

If I try to push Bitlocker and run "Manage-bde -protectors -get %systemdrive%" I get the PCR values 0, 2, 4, 11. If I do it on the t470s I've encrypted I get the proper PCR 7, 11.

Both are Microsoft Windows 10 Pro version 1909, all current patches applied.

I suspect something with our image is causing the issue or issues. Normally I would try to pave over our image with a fresh install of Windows 10 to confirm, but with our main office closed I won't be able to re-apply the image to the device after doing so.

Does anyone have any tips on how to isolate exactly what is causing the PCR7 bind issue?

:)

 

PCR7 Configuration Binding Not Possible

I've got Windows 10 Home, Version 10.0.18363 Build 18363. I haven't been having any specific problems, but tonight I looked at my System Information and on the Summary page I noticed a couple of entries that I really don't understand.

• PCR7 Configuration Binding Not Possible
• Device Encryption Support Reasons for failed automatic device encryption: PCR7 binding is not supported, Hardware Security Test Interface failed and device is not Modern Standby, Un-allowed DMA capable bus/device(s) detected

Do I have a problem that I'm unaware of? Should I be concerned? What do I do to fix it if necessary? Would appreciate some expert guidance here. Thanks.

 

PCR7 Configuration Binding Not Possible

Thanks Alex!

I also build my PC using a Gigabyte motherboard a few years ago (H170 Gaming 3) and was using VeraCrypt (with issues for major Windows updates), until recently when I installed a SSD as my boot drive, with my data on the older HDD. I'm exploring encryption
solutions, and found out it is possible to enable the native encryption capabilities from Windows 10 Home (my OS) even if the Bitlocker interface is only available for the Windows Pro versions. (I don't have the option, so I will eventually upgrade Windows
to Pro or Enterprise).

To make my life easy, I purchased the Gigabyte TPM module, but setting it up is far from being a breeze.

I did have the GPT partition, but had not enabled Secure boot. I worked my way as you mentioned, and did have a hard time with the platform key: (this was the error message I received: Secure Boot can be enabled when Platform is in User Mode. Repeat operation
after enrolling Platform Key (PM). I more or less found the answer here: Can't enable secure boot in BIOS without a Platform Key.

Finally, after 2 re-boots, I now have the PCR 7 Configuration binding possible.

I still have one issue left in System Information: Device Encryption Support... Hardware Security Test Interface failed and device is not Modern Standby, Unallowed DMA capable bus/device(s) detected. Looks like I'm not out of the woods!

I have to find out what this means before forking out 99$ for Bitlocker !

Thanks for your help!

 

PCR7 Configuration Binding Not Possible

Wanting to encrypt my drives, and seeing the same message, I purchased a TPM module and installed it. It is enabled, was cleared, but I'm seeing the same binding not possible message. I would like fix it. Any idea?