Issues with BitLocker and Intune PRC7 Binding not possible

Rob McLain 25 Reputation points
2023-03-22T20:35:24.4433333+00:00

Hello all,

I am running into some issues with a silent push of BitLocker from Intune Configuration Profile.

The device I am trying it on has the following:

Windows 11 IoT Enterprise

TPM 2.0

Secure Boot State: On

BIOS Mode: UEFI

The device does NOT support Modern Standby S0 Low Power Idle

We are trying to push BitLocker in a silent state and getting this error in BitLocker-API logs:

Event ID 834:

BitLocker determined that the TCG log is invalid for use of Secure Boot. The filtered TCG log for PCR[7] is included in this event.

 

Event ID 813:

BitLocker cannot use Secure Boot for integrity because the expected TCG Log entry for variable 'SecureBoot' is missing or invalid.

Event ID 858:

Recovery Password Rotation failed.

Error: The device is not ready..

And getting this error in the DeviceManagement Logs:

Event ID 404:

MDM ConfigurationManager: Command failure status. Configuration Source ID: (ED3040A8-E47F-4E08-8234-19362907BC40), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (BitLocker), Command Type: (SetValue: from Replace), CSP URI: (./Device/Vendor/MSFT/BitLocker/RequireDeviceEncryption), Result: (The device is not ready.).

Under system info I see that PCR7 Configuration of Binding Not Possible

manage-bde -protectors -get %systemdrive%

Gives me:

BitLocker Drive Encryption: Configuration Tool version 10.0.22621
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Volume C: [Windows]
All Key Protectors

ERROR: No key protectors found.

I am wondering if there is a way to make binding possible for PCR7.

Does PCR7 binding require Modern Standby?

I understand that we will have to do FDE without Modern Standby, but I cannot find any information on whether Modern Standby is a requirement to bind to PCR7 or if I have some other issue going on with other certificate signing in secure boot as mentioned in this article: https://learn.microsoft.com/en-US/troubleshoot/windows-server/deployment/pcr7-configuration-binding-not-possible.

I have the latest BIOS firmware installed.

Thanks in advance for any assistance,

Rob

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,977 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Simon Ren-MSFT 33,606 Reputation points Microsoft Vendor
    2023-03-23T08:50:27.4133333+00:00

    Hi Rob,

    Thank you for posting in Microsoft Q&A forum.

    Given this situation, we need further troubleshooting. With Q&A limitation, it is suggested to create an online support ticket to get accurate help. Here is the support link:

    https://learn.microsoft.com/en-us/mem/get-support

    Thanks for your understanding and hope everything goes well with you.

    Best regards,
    Simon


    If the response is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.
    0 comments No comments

  2. Rob McLain 25 Reputation points
    2023-04-06T14:00:10.5433333+00:00

    Both MS and The OEM have told me that Modern Standby is a requirement for PCR7 binding. I have been able to complete our silent deployment of BitLocker through a combination of Configuration Profile in Intune and a powershell script pushed from Intune. Hope this will save someone else some time in the future. https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-bitlocker#bitlocker-automatic-device-encryption-hardware-requirements Rob

    1 person found this answer helpful.
    0 comments No comments

  3. Pavel yannara Mirochnitchenko 12,471 Reputation points MVP
    2023-04-06T14:26:44.0133333+00:00

    Try to configure Bitlocker ONLY via Endpoint Security node and while altering those settings, select "Allow" on any options where you have multiple selection like Required/Allowed/Disabled. Problem with Intune is, that there is TOO many ways to enable Bitlocker in Intune and I know admins get confused.

    1 person found this answer helpful.
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.