Windows 10: PCR7 status

Hello, I have some problems with my new laptop. My laptop originally had windows enhanced sign in security turned on and PCR7 status in msinfo32 was bound. Last week my laptop froze on the asus logo screen so I had to force shut it down. After that the laptop booted normally but PCR7 status is now: bounding is possible and also enhanced sign in security disapaered. Has anyone any ideas help me get the ess back working and the PCR7 status to bound. Interestingly in my hyper-v vm the PCR7 status says bound.

:)

 

PCR7 Configuration Binding Not Possible

I've got Windows 10 Home, Version 10.0.18363 Build 18363. I haven't been having any specific problems, but tonight I looked at my System Information and on the Summary page I noticed a couple of entries that I really don't understand.

• PCR7 Configuration Binding Not Possible
• Device Encryption Support Reasons for failed automatic device encryption: PCR7 binding is not supported, Hardware Security Test Interface failed and device is not Modern Standby, Un-allowed DMA capable bus/device(s) detected

Do I have a problem that I'm unaware of? Should I be concerned? What do I do to fix it if necessary? Would appreciate some expert guidance here. Thanks.

 

PCR7

What is PCR7 elevation and do I need it?

 

BitLocker error - PCR7 binding is not supported

Hello,



I have an issue with BitLocker not working and advising "PCR7 binding is not supported"

I've undertaken extensive research on the internet to resolve the issue and drawing a blank.

(This laptop was previously using BitLocker without issue prior to me wiping the system and doing a clean install)



When attempting to enable BitLocker on a HP Elitebook G3 1030 running Windows 10 Pro the following error message is receive following reboot.



"BitLocker could not be enabled.

The data drive specified is not set to automatically unlock on the current computer and cannot be unlocked automatically.

C: was not encrypted"



This error message occurs only when I configure BitLocker with the "System Check." (Checking the box when it asks).

The error message is received after reboot.

If I do not select the System Check, it works, but it prompts the user every single reboot to input the recovery key.



Apparently if BitLocker keeps asking for Recovery key at startup even after multiple attempts, one is trapped in a recovery key loop.

You may enter a BitLocker recovery key loop if your device TPM is configured to use PCR (Platform Configuration Register) values that are not the default values (PCR 7 & PCR 11) to which BitLocker binds.



Initial efforts to resolve the situation included:

• Clear the TPM via the BIOS
  
• Removing all partitions on the hard disk using Parted Magic
  
• Clean re-install of Windows 10 via Microsoft website installer
  
• Reset of the BIOS settings
  
• Reinstalling the latest BIOS update
  
• Verifying in the BIOS that Secure Boot is ENABLED
  

Following this I executed the advice from this Microsoft forum to reset TPM protectors

https://learn.microsoft.com/en-us/a...cker-drive-encryption-the-data-drive-specifie

Basically this involved using command prompt to issue the following commands

1. "manage-bde -protectors -delete c: -t TPM"
   
2. "manage-bde -protectors -add c: -tpm"
   

Unfortunately this did not resolve the problem



Issuing the command "manage-bde -protectors -get c:" Reveals that my system is relying on PCR 0, 2, 4, 11 instead of PCR 7, 11



When running "System Information" as administrator the following key information about my system was returned

BIOS Mode = UEFI

Secure Boot State = On

PCR7 Configuration = Binding Not Possible

Device Encryption Support = Reason for failed automatic device encryption: PCR7 binding is not supported.



This website had some useful suggestion that were followed. PCR7 Binding Is Not Supported in Windows 11/10? [Fixed] - MiniTool

Step 1 = I ran "tpm.msc" and it advises "The TPM is ready to use"

Step 2 = The BIOS is configured with UEFI enabled and the system disk partition style is GPT

Step 3 = Secure Boot State = On (as per "System Information")

Step 4 = 4 In command prompt I ran the command "powercfg /a" and receive the message back

"The following sleep states are available on this system:

Standby (S0 Low Power Idle) Network Connected

Hibernate

Fast Startup"



When opening Event Viewer and selecting "Applications and Services Logs -> Microsoft -> Windows -> BitLocker-API -> Management" it lists a string of events with mostly alternating Event ID's as follows:

Event 834 (Information) - BitLocker determined that the TCG log is invalid for use of Secure Boot. The filtered TCG log for PCR[7] is included in this event.

Event 816 (Warning) - BitLocker cannot use Secure Boot for integrity because the TCG Log for PCR [7] contains invalid entries.



Out of desperation, I reached out to Microsoft support and one week later I'm still waiting for the next level of suport to contact me.



Does anyone have any advice of what else I can try to resolve this BitLocker issue?