Hello all,
I am running into some issues with a silent push of BitLocker from Intune Configuration Profile.
The device I am trying it on has the following:
Windows 11 IoT Enterprise
TPM 2.0
Secure Boot State: On
BIOS Mode: UEFI
The device does NOT support Modern Standby S0 Low Power Idle
We are trying to push BitLocker in a silent state and getting this error in BitLocker-API logs:
Event ID 834:
BitLocker determined that the TCG log is invalid for use of Secure Boot. The filtered TCG log for PCR[7] is included in this event.
Event ID 813:
BitLocker cannot use Secure Boot for integrity because the expected TCG Log entry for variable 'SecureBoot' is missing or invalid.
Event ID 858:
Recovery Password Rotation failed.
Error: The device is not ready..
And getting this error in the DeviceManagement Logs:
Event ID 404:
MDM ConfigurationManager: Command failure status. Configuration Source ID: (ED3040A8-E47F-4E08-8234-19362907BC40), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (BitLocker), Command Type: (SetValue: from Replace), CSP URI: (./Device/Vendor/MSFT/BitLocker/RequireDeviceEncryption), Result: (The device is not ready.).
Under system info I see that PCR7 Configuration of Binding Not Possible
manage-bde -protectors -get %systemdrive%
Gives me:
BitLocker Drive Encryption: Configuration Tool version 10.0.22621
Copyright (C) 2013 Microsoft Corporation. All rights reserved.
Volume C: [Windows]
All Key Protectors
ERROR: No key protectors found.
I am wondering if there is a way to make binding possible for PCR7.
Does PCR7 binding require Modern Standby?
I understand that we will have to do FDE without Modern Standby, but I cannot find any information on whether Modern Standby is a requirement to bind to PCR7 or if I have some other issue going on with other certificate signing in secure boot as mentioned in this article: https://learn.microsoft.com/en-US/troubleshoot/windows-server/deployment/pcr7-configuration-binding-not-possible.
I have the latest BIOS firmware installed.
Thanks in advance for any assistance,
Rob