In our office we are trying to swap over from using McAfee's encryption tool to managing Bitlocker via Workspace One (formerly Airwatch). I was able to successfully apply Bitlocker to two Lenovo models T470s. After those worked, I pushed the same profile over to a test T480s. It went into Bitlocker recover on every boot. When I went into the system information, I got the following entry for the Device Encryption Support Reasons for failed automatic device encryption field: "PCR7 binding is not supported, Un-allowed DMA capable bus/device(s)"
I was able to fix the DMA issue by adding the "PCI Express Upstream Switch Port" under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DmaSecurity\AllowedBuses with the appropriate key value. What I can't get working is the PCR7 binding. No matter what I try I still get "PCR7 Configuration Binding Not Possible" on the T480 and T490 models. Whenever I try to encrypt it I get the following messages in the event logs for Bitlocker API:
Event 813 - "BitLocker cannot use Secure Boot for integrity because the expected TCG Log entry for variable 'CurrentPolicy' is missing or invalid."
Event 834 - "BitLocker determined that the TCG log is invalid for use of Secure Boot. The filtered TCG log for PCR[7] is included in this event."
I have updated the OS and BIOS. I have ensured that the the TPM module and Secure Boot are enabled in the BIOS. I have even toggled them off and back on again to make sure they are on.
The TPM module appears to be correct:
wmic /namespace:\root\cimv2\security\microsofttpm path win32_tpm get * /format:list
IsActivated_InitialValue=TRUE
IsEnabled_InitialValue=TRUE
IsOwned_InitialValue=TRUE
ManufacturerId=1229346816
ManufacturerIdTxt=IFX
ManufacturerVersion=7.63.3353.0
ManufacturerVersionFull20=7.63.13.6400
ManufacturerVersionInfo=SLB9670
PhysicalPresenceVersionInfo=1.3
SpecVersion=2.0, 0, 1.16
I've confirmed the SecureBoot both in the system info, manually in the BIOS, and by using the following powershell commands:
PS C:\WINDOWS\system32> Confirm-SecureBootUEFI
True
PS C:\WINDOWS\system32> Get-SecureBootPolicy
Publisher Version
77fa9abd-0359-4d32-bd60-28f4e78f784b 1
If I try to push Bitlocker on the t480s and run "Manage-bde -protectors -get %systemdrive%" I get the PCR values 0, 2, 4, 11. If I do it on the t470s I've encrypted I get the proper PCR 7, 11.
Both are Microsoft Windows 10 Pro version 1909, all current patches applied.
I suspect something with our image is causing the issue or issues. Normally I would try to pave over our image with a fresh install of Windows 10 to confirm, but with our main office closed I won't be able to re-apply the image to the device after doing so.
Does anyone have any tips on how to isolate exactly what is causing the PCR7 bind issue? Someone mention the tpmtool that is supposed to be included but it isn't on here and the only documentation I can find on it is under the windows 10 server documention section.
source link: https://social.technet.microsoft.com/Forums/en-US/1bfddcfe-46d2-468e-9db4-e19a37f4d2ab/pcr7-configuration-binding-not-possible-bitlocker-event-ids-813-834?forum=win10itprosecurity