This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 65%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EH%3C/text%3E%3C/svg%3E)
Hi all,
Continuation of the topic https://learn.microsoft.com/en-us/answers/questions/999137/defender-onboarding-co-management.html and a guide in it I believe.
What I wanted to achieve is to apply automatically bitlocker through Co-Management. All is set fine, devices are co managed. After understanding all from previous post, we managed to clean the workloads and there were no further conflicts. Policies for bitlocker arrived to device which I could see for example through Intune or regedit (key saying require encryption was set to 1) etc.
We were sure policies do apply.
In event viewer Bitlocker API, for my two devices I was getting two entries:
Bitlocker encryption doesn't happen automagically at all. What is even weirder, is that TPM 2.0 UEFI and all that settings were on, except for secure boot.
Troubleshooting so far was to:
These settings are all very related and coordinating the selections is important. The BitLocker CSP documentation has a brief note that says “Only one of the additional authentication options can be required at startup, otherwise an error occurs.” That error will be a “Policy Conflict”, because if you Require any one of these then you CANNOT Allow anything else. So we’ll Require TPM, and set the other three to “Do not allow
This removed the 1st error, so the DMA one.
Secondly, I've turned secure boot on one of two machines and tested if secure boot is really needed
From that point I have verified if TPM and all other components are setup correctly and they were in 99%!
the only issue was that Key protectors were empty, for every built device, these are factory new, built and connected with co management devices, user connected to them
I ran manage-bde -protectors c: -get to validate that 7,11 are the PCR used - And this is the ONLY missing thing, it was simply empty. In my understanding is that if TPM owner is known, if system works properly, hardware and all that stuff is put in place, this should populate on its own. It didn't, so I ran the following:
manage-bde -protectors c: -delete -t tpm
manage-bde -protectors c: -add -tpm
This didn't still trigger any auto apply both on Secure Boot enabled and disabled device. I've switched off the enabled one, and after logging back in I've received
I ran out of ideas what is happening. What I assume is that somehow the policy is not able to start the auto encryption, but why?
My workaround was to run a TS from MECM
It worked in few minutes on both Secure Boot Enabled and Disabled devices. I know the supremacy of MECM in many aspects, but the general decision is to unify security and some policies in one place, that would be cloud. This means it is only a temporary solution... Can someone give me some hints what could I test later on when I will be trying to do it via cloud again?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Heimdallr , Thanks for posting. I am glad to hear that our first error is resolved. For your second error based on my research, I find a known issue in the following link:
https://learn.microsoft.com/en-us/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues#issue-6
It seems we have enabled silent Bitlocker drive encryption which requires the secure boot to be turned on and the PCR7 measures the state of secure boot.
From your troubleshooting, I know the PCR is empty. I think it's the cause of our issue. I notice we have tried to delete the key protection methods and add it back. Could you let us know if the PCR Validation Profile include 7 after this action?
Meanwhile, please type msinfo32 to see if the "Secure Boot State" is On. If the setting is Unsupported. then means we can't use Silent BitLocker Encryption on this device. You can change to use manually enable Bitlocker policy instead on these devices.
Hope it can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Thanks again for awesome answer and help.
Unfortunately still nothing. I think, that for some reason secure boot is not being read correctly
So, I had two scenarios in this test.
First, had binding poissible for PCR7, according to Msinfo, nothing helped, it was device after previous tests.
Today I've used a new device, also freshly built, also same problems. It has PCR7 as binding not possible though.
I've tried to register protectors on it and it did all, except for 7. Then, in your link there was a guide on how registry should look. I was missing few keys, notably:
AllowStandardUserEncryption, and AllowWarningForOtherDiskEncryption - I've added them and rebooted device to speed up the process. When I logged in, I was thrown information that my disk cannot be encrypted (the same error as on screenshot above) and after entering CMD, protectors that were set to all these numbers except 7, were removed. It returned to "None Found" state. I understood that what I did was to apply that via user who didn't have access to do that, and that the method is used in Autopilot...so It was basically a wrong direction.
So the status that we got is: We build device via MECM, do a co management on it, it can receive Intune configuration, for example wallpaper, it is onboarded to defender, device has protectors off.
In two tests, one caught the PCR7 one didn't. In both cases bitlocker doesn't trigger on its own and eventviewer shows the same events 834 and 839.
@Heimdallr , Thanks for your update.
From the first test, I know the device can't be with PCR7 binding. As TPM with PCR 7 is one of the hardware requirement, the failure will be expected.
https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-bitlocker#bitlocker-automatic-device-encryption-hardware-requirements
After researching, I find there's a group policy can set PCR7, maybe you can try:
For the second test, it seems one device with PCR7 also didn't trigger Bitlocker with event 834, 839. Based on my research, I find a similar case. It seems Bitlocker debug log is needed for analysis. As Intune support, I am not familiar with it. So still suggest to contact windows support to get more help.
https://learn.microsoft.com/en-us/answers/questions/46556/pcr7-configuration-binding-not-possible-bitlocker.html
I notice "windows-10-security" tag is added. we can wait some days to see if any windows support can be involved. If not, you can contact our Phone support to help this:
https://support.microsoft.com/en-us/topic/global-customer-service-phone-numbers-c0389ade-5640-e588-8b0e-28de8afeb3f2
Thanks for your understanding and have a nicer day!
I found out one peculiar thing - All my Dell models have issues with auto triggering while one HP that I randomly picked didn't. It encrypted properly via Defender.
I found out this article https://forum.xda-developers.com/t/fix-un-allowed-dma-capable-bus-device-s-detected.4321643/ and it seems like some option, but as you can see it is hard to implement it massively (or at least I don't see an easy way to do that, not a scripting guy)
After doing that on faulty Dell, my Device Encryption Support in MSinfo, changed message from the DMA buses that are not trusted (or something similar) to a "Reasons for failed automatic device encryption: PCR7 Binding is not supported"
Eventviewer:
834 - Bitlocker determined that the TCG log is invalid for use of secure boot. The filtered TCG log for PCR[7] is included in this event
839 - Bitlocker cannot use secure boot for integrity because the TCG Log entry for the OS loader authority is invalid.
The signature contained in the EFI_Signature_Data structure from the OS Authority event could not be found in the verified certificate chain for the boot loader
Under investigation now.
@Heimdallr , Thanks for your update.
For the article you provided, based on my understanding, it seems to bypass some affected options to enable System Information message.
From your decryption, I notice the message currently changes and it indicates that automatic device encryption is not support on the device. BitLocker cannot use PCR [7] Then we can see the events we got. Here is a link describe this for your reference::
https://learn.microsoft.com/en-us/windows-hardware/test/hlk/testref/954cf796-a640-4134-b742-eaf0ed2663ff
Experiencing similar problem with Dell Laptops. Was there a resolution or are you presently using Task Sequence method to enable encryption?
I am talking to Dell support. I will update this topic with information when I will hopefully solve this, or if I won't
Hello.
I have fixed half of my errors.
https://forum.xda-developers.com/t/fix-un-allowed-dma-capable-bus-device-s-detected.4321643/ <--- This solves the Unallowed BUS problem, however all my models suffering this issue, have also Binding not possible on PCR7 with EventViewer ID 839:
BitLocker cannot use Secure Boot for integrity because the TCG Log entry for the OS Loader Authority is invalid.
The signature contained in the EFI_SIGNATURE_DATA structure from the OS authority event could not be found in the verified certificate chain for the boot loader.
I am working on it right now to figure that out. After that I will need to make whole thing automatic
Will update when next milestone will be reached