question

Andreas-9700 avatar image
1 Vote"
Andreas-9700 asked NicholasWong-2617 published

Bitlocker-change Binding state

Hi,

Have a question regarding TPM on some machines.
I can see that PCR7 status = Binding Possible, how do I change this to PCR7 status = Bound ?

Thanks for reply

/R
Andy

windows-10-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

TeemoTang-MSFT avatar image
0 Votes"
TeemoTang-MSFT answered

Hi Andy,
It is normal that System information -> PCR7 Configuration -> Binding Possible, it is a right state, don’t need to do anything.
If you see PCR7 Configuration Binding Not Possible, you may need to check it.

If the system uses Secure Boot for integrity check (PCR[7]), please see the following steps for more diagnosis information.
The recovery might be triggered by the firmware update package.
If the system has TPM2.0, PCR [7] support is required. Otherwise, PCR [7] support is optional. Tree EFI Protocol specification has details about PCR [7] support.
Check to see if this system supports PCR [7] and is used by BitLocker/Device Encryption by issuing the following command from an elevated command prompt:
Manage-bde -protectors -get %systemdrive%
If PCR validation profile shows PCR 7, 11 (Uses Secure Boot for integrity validation), the system is configured correctly.

If you need PCR7 Configuration Bound, check the following articles for some ideas.
Intune -Troubleshooting and Learnings
https://neroblanco.co.uk/2020/05/intune-troubleshooting-and-learnings/
A Windows 10 device with secure boot enabled shows as Not Compliant in Intune
https://docs.microsoft.com/en-US/troubleshoot/mem/intune/secure-boot-enabled-device-shows-not-compliant


If the Answer is helpful, please click "Accept Answer" and upvote it.
Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Andreas-9700 avatar image
0 Votes"
Andreas-9700 answered TeemoTang-MSFT commented

Hi @TeemoTang-MSFT

Thanks for good information.

We are using Intune, and want the devices to be automatically "silent" enable bitlocker.
As far as I can see the machines that does not do this are the ones with "Binding Possible".
The machines that have "bound" they are configuring bitlocker silently.

I followed you links, but I don`t see any good explanations when it comes to "is it possible to change from Binding Possible to Bound ?
Is that like a bios upgrade, is there a bios setting, is there not a setting at all... struggeling to get a clear picture of this.

/R
Andy

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

If your environment using Intune, you'd better add intune related tag in your post, then intune engineer will see this case and give their idea for you. If use Windows 10 security tag, we prefer to discussing Windows 10 built-in security functions and roles, such as Windows defender or BitLocker.

0 Votes 0 ·

Hi,

I understand, but I believe my question is not directly related to Intune.

This is what I am wondering about.... "I followed you links, but I don`t see any good explanations when it comes to "is it possible to change from Binding Possible to Bound ?
Is that like a bios upgrade, is there a bios setting, is there not a setting at all ?... struggeling to get a clear picture of this."

Thanks again for reply.

/R
Andy

0 Votes 0 ·

Please update firmware to the latest and Make sure your computer use TPM 2.0

1 Vote 1 ·
Chris-8395 avatar image
1 Vote"
Chris-8395 answered NicholasWong-2617 published

Hello.

i have the same situation as the thread opener.

I also see pcr 7 Binding possible.

Check to see if this system supports PCR [7] and is used by BitLocker/Device Encryption by issuing the following command from an elevated command prompt:

Manage-bde -protectors -get %systemdrive%

When i execute the command i get "no keys found" back.

Is there a way to configure this keys?!
I have seen that it´s possible to configure those pcr settings for bitlocker with group policies but i don´t know which and what to configure there.

Also i have an error in msinfo32 regarding automatic devie encryption,

Unterstützung der Geräteverschlüsselung Ursachen dafür, dass die automatische Geräteverschlüsselung nicht erfolgreich war: Fehler bei der Schnittstelle für Hardwaresicherheitstests. Das Gerät unterstützt kein Modern-Standby., Unzulässige DMA-fähige Busse/Geräte erkannt, WinRE ist nicht konfiguriert.**

It´s German sorry but i hope you can help me with a solution.

Thanks very much.





· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Yes I have this pob too

0 Votes 0 ·