This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 88%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi,
Have a question regarding TPM on some machines.
I can see that PCR7 status = Binding Possible, how do I change this to PCR7 status = Bound ?
Thanks for reply
/R
Andy
Hi Andy,
It is normal that System information -> PCR7 Configuration -> Binding Possible, it is a right state, don’t need to do anything.
If you see PCR7 Configuration Binding Not Possible, you may need to check it.
If the system uses Secure Boot for integrity check (PCR[7]), please see the following steps for more diagnosis information.
The recovery might be triggered by the firmware update package.
If the system has TPM2.0, PCR [7] support is required. Otherwise, PCR [7] support is optional. Tree EFI Protocol specification has details about PCR [7] support.
Check to see if this system supports PCR [7] and is used by BitLocker/Device Encryption by issuing the following command from an elevated command prompt:
Manage-bde -protectors -get %systemdrive%
If PCR validation profile shows PCR 7, 11 (Uses Secure Boot for integrity validation), the system is configured correctly.
If you need PCR7 Configuration Bound, check the following articles for some ideas.
Intune -Troubleshooting and Learnings
https://neroblanco.co.uk/2020/05/intune-troubleshooting-and-learnings/
A Windows 10 device with secure boot enabled shows as Not Compliant in Intune
https://learn.microsoft.com/en-US/troubleshoot/mem/intune/secure-boot-enabled-device-shows-not-compliant
-------------------------------------------------------------------------------------
If the Answer is helpful, please click "Accept Answer" and upvote it.
Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 31%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
Hello.
i have the same situation as the thread opener.
I also see pcr 7 Binding possible.
Check to see if this system supports PCR [7] and is used by BitLocker/Device Encryption by issuing the following command from an elevated command prompt:
Manage-bde -protectors -get %systemdrive%
When i execute the command i get "no keys found" back.
Is there a way to configure this keys?!
I have seen that it´s possible to configure those pcr settings for bitlocker with group policies but i don´t know which and what to configure there.
Also i have an error in msinfo32 regarding automatic devie encryption,
**Unterstützung der Geräteverschlüsselung Ursachen dafür, dass die automatische Geräteverschlüsselung nicht erfolgreich war: Fehler bei der Schnittstelle für Hardwaresicherheitstests. Das Gerät unterstützt kein Modern-Standby., Unzulässige DMA-fähige Busse/Geräte erkannt, WinRE ist nicht konfiguriert.****
It´s German sorry but i hope you can help me with a solution.
Thanks very much.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 67%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENW%3C/text%3E%3C/svg%3E)
Yes I have this pob too
Hi @Teemo Tang
Thanks for good information.
We are using Intune, and want the devices to be automatically "silent" enable bitlocker.
As far as I can see the machines that does not do this are the ones with "Binding Possible".
The machines that have "bound" they are configuring bitlocker silently.
I followed you links, but I don`t see any good explanations when it comes to "is it possible to change from Binding Possible to Bound ?
Is that like a bios upgrade, is there a bios setting, is there not a setting at all... struggeling to get a clear picture of this.
/R
Andy
If your environment using Intune, you'd better add intune related tag in your post, then intune engineer will see this case and give their idea for you. If use Windows 10 security tag, we prefer to discussing Windows 10 built-in security functions and roles, such as Windows defender or BitLocker.
Hi,
I understand, but I believe my question is not directly related to Intune.
This is what I am wondering about.... "I followed you links, but I don`t see any good explanations when it comes to "is it possible to change from Binding Possible to Bound ?
Is that like a bios upgrade, is there a bios setting, is there not a setting at all ?... struggeling to get a clear picture of this."
Thanks again for reply.
/R
Andy
Please update firmware to the latest and Make sure your computer use TPM 2.0