Bitlocker-change Binding state

Andreas 1,001 Reputation points


Have a question regarding TPM on some machines.
I can see that PCR7 status = Binding Possible, how do I change this to PCR7 status = Bound ?

Thanks for reply


Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,330 questions
0 comments No comments
{count} vote

Accepted answer
  1. Teemo Tang 11,086 Reputation points

    Hi Andy,
    It is normal that System information -> PCR7 Configuration -> Binding Possible, it is a right state, don’t need to do anything.
    If you see PCR7 Configuration Binding Not Possible, you may need to check it.

    If the system uses Secure Boot for integrity check (PCR[7]), please see the following steps for more diagnosis information.
    The recovery might be triggered by the firmware update package.
    If the system has TPM2.0, PCR [7] support is required. Otherwise, PCR [7] support is optional. Tree EFI Protocol specification has details about PCR [7] support.
    Check to see if this system supports PCR [7] and is used by BitLocker/Device Encryption by issuing the following command from an elevated command prompt:
    Manage-bde -protectors -get %systemdrive%
    If PCR validation profile shows PCR 7, 11 (Uses Secure Boot for integrity validation), the system is configured correctly.

    If you need PCR7 Configuration Bound, check the following articles for some ideas.
    Intune -Troubleshooting and Learnings
    A Windows 10 device with secure boot enabled shows as Not Compliant in Intune


    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Chris 6 Reputation points


    i have the same situation as the thread opener.

    I also see pcr 7 Binding possible.

    Check to see if this system supports PCR [7] and is used by BitLocker/Device Encryption by issuing the following command from an elevated command prompt:

    Manage-bde -protectors -get %systemdrive%

    When i execute the command i get "no keys found" back.

    Is there a way to configure this keys?!
    I have seen that it´s possible to configure those pcr settings for bitlocker with group policies but i don´t know which and what to configure there.

    Also i have an error in msinfo32 regarding automatic devie encryption,

    **Unterstützung der Geräteverschlüsselung Ursachen dafür, dass die automatische Geräteverschlüsselung nicht erfolgreich war: Fehler bei der Schnittstelle für Hardwaresicherheitstests. Das Gerät unterstützt kein Modern-Standby., Unzulässige DMA-fähige Busse/Geräte erkannt, WinRE ist nicht konfiguriert.****

    It´s German sorry but i hope you can help me with a solution.

    Thanks very much.

    1 person found this answer helpful.

  2. Andreas 1,001 Reputation points

    Hi @Teemo Tang

    Thanks for good information.

    We are using Intune, and want the devices to be automatically "silent" enable bitlocker.
    As far as I can see the machines that does not do this are the ones with "Binding Possible".
    The machines that have "bound" they are configuring bitlocker silently.

    I followed you links, but I don`t see any good explanations when it comes to "is it possible to change from Binding Possible to Bound ?
    Is that like a bios upgrade, is there a bios setting, is there not a setting at all... struggeling to get a clear picture of this.