Hi Andy,
It is normal that System information -> PCR7 Configuration -> Binding Possible, it is a right state, don’t need to do anything.
If you see PCR7 Configuration Binding Not Possible, you may need to check it.
If the system uses Secure Boot for integrity check (PCR[7]), please see the following steps for more diagnosis information.
The recovery might be triggered by the firmware update package.
If the system has TPM2.0, PCR [7] support is required. Otherwise, PCR [7] support is optional. Tree EFI Protocol specification has details about PCR [7] support.
Check to see if this system supports PCR [7] and is used by BitLocker/Device Encryption by issuing the following command from an elevated command prompt:
Manage-bde -protectors -get %systemdrive%
If PCR validation profile shows PCR 7, 11 (Uses Secure Boot for integrity validation), the system is configured correctly.
If you need PCR7 Configuration Bound, check the following articles for some ideas.
Intune -Troubleshooting and Learnings
https://neroblanco.co.uk/2020/05/intune-troubleshooting-and-learnings/
A Windows 10 device with secure boot enabled shows as Not Compliant in Intune
https://learn.microsoft.com/en-US/troubleshoot/mem/intune/secure-boot-enabled-device-shows-not-compliant
-------------------------------------------------------------------------------------
If the Answer is helpful, please click "Accept Answer" and upvote it.
Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.