PCR7 Configuration Binding Not Possible, Bitlocker event IDs 813, 834

Question

_{Wednesday, April 29, 2020 3:24 PM}

In our office we are trying to swap over from using McAfee's encryption tool to managing Bitlocker via Workspace One (formerly Airwatch). I was able to successfully apply Bitlocker to two Lenovo models T470s. After those worked, I pushed the same profile over to a test T480s. It went into Bitlocker recover on every boot. When I went into the system information, I got the following entry for the Device Encryption Support Reasons for failed automatic device encryption field: "PCR7 binding is not supported, Un-allowed DMA capable bus/device(s)"

I was able to fix the DMA issue by adding the "PCI Express Upstream Switch Port" under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DmaSecurity\AllowedBuses with the appropriate key value. What I can't get working is the PCR7 binding. No matter what I try I still get "PCR7 Configuration Binding Not Possible" on the T480 and T490 models. Whenever I try to encrypt it I get the following messages in the event logs for Bitlocker API:

Event 813 - "BitLocker cannot use Secure Boot for integrity because the expected TCG Log entry for variable 'CurrentPolicy' is missing or invalid."

Event 834 - "BitLocker determined that the TCG log is invalid for use of Secure Boot. The filtered TCG log for PCR[7] is included in this event."

I have updated the OS and BIOS. I have ensured that the the TPM module and Secure Boot are enabled in the BIOS. I have even toggled them off and back on again to make sure they are on. 

The TPM module appears to be correct:

wmic /namespace:\root\cimv2\security\microsofttpm path win32_tpm get * /format:list

IsActivated_InitialValue=TRUE

IsEnabled_InitialValue=TRUE

IsOwned_InitialValue=TRUE

ManufacturerId=1229346816

ManufacturerIdTxt=IFX

ManufacturerVersion=7.63.3353.0

ManufacturerVersionFull20=7.63.13.6400

ManufacturerVersionInfo=SLB9670

PhysicalPresenceVersionInfo=1.3

SpecVersion=2.0, 0, 1.16

I've confirmed the SecureBoot both in the system info, manually in the BIOS, and by using the following powershell commands:

PS C:\WINDOWS\system32> Confirm-SecureBootUEFI

True

PS C:\WINDOWS\system32> Get-SecureBootPolicy

Publisher                            Version

77fa9abd-0359-4d32-bd60-28f4e78f784b       1

If I try to push Bitlocker on the t480s  and run "Manage-bde -protectors -get %systemdrive%" I get the PCR values  0, 2, 4, 11. If I do it on the t470s I've encrypted I get the proper PCR 7, 11.

Both are Microsoft Windows 10 Pro version 1909, all current patches applied.

I suspect something with our image is causing the issue or issues. Normally I would try to pave over our image with a fresh install of Windows 10 to confirm, but with our main office closed I won't be able to re-apply the image to the device after doing so. 

Does anyone have any tips on how to isolate exactly what is causing the PCR7 bind issue? Someone mention the tpmtool that is supposed to be included but it isn't on here and the only documentation I can find on it is under the windows 10 server documention section.

All replies (2)

_{Thursday, April 30, 2020 6:11 AM ✅Answered}

Hi,

If it's not 7,11, then you likely are either not using UEFI+Secure Boot (perhaps UEFI in CSM mode instead?) or the certificates in Secure Boot are preventing binding (if there's more than one root certificate, for instance, Bitlocker won't bind to PCR7 because it cannot verify which root authority is the proper authority).

There are ways to read the TCG log and the register data for the PCRs, but the easiest way to start troubleshooting is to enable all the debug Bitlocker logs in the event viewer and then use manage-bde on a clean machine of that type to see what Bitlocker wants to do on its own, and in the logs you should see "why" it chooses what it does.

Hope above information can help you.

Please remember to mark the replies as answers if they help.
"Windows 10 Installation, Setup, and Deployment" forum will be migrating to a new home on Microsoft Q&A (Preview)!
We invite you to post new questions in the "Windows 10 Installation, Setup, and Deployment" forum’s new home on Microsoft Q&A (Preview)!
For more information, please refer to the sticky post.

_{Thursday, April 30, 2020 12:11 PM}

Yeah, looking at the logs I figured out what was the issue. when McAfee MNE was pulled, it pushed DEP. It wasn't supposed to do that. That was keeping the PCR7 from binding.