Setting up Device Encryption - Reasons for failed automatic device encryption: PCR7 binding is not supported

Question

Automatic Device Encryption Support Reasons for failed automatic device encryption: PCR7 binding is not supported, Hardware Security Test Interface failed and device is not Modern Standby, Un-allowed DMA capable bus/device(s) detected

As far as I can tell - all my settings are correct to have this automatically enable, but for whatever reason I'm still getting this error that PCR7 Configuration "Binding Not Possible". I'm running Windows 11 on MSI BIOS 5 - and I have a TPM 2.0 enabled device. I have these settings:

• Secure Boot State: On
• BIOS Mode: UEFI
• tpm.msc says the status: The TPM is ready for use.
  • I have tried clearing TPM and resetting it and restarting my PC - no changes.

At this point - I'm not sure what else to check/toggle/configure. Can someone help me troubleshoot this issue? I'd like to enable device encryption on my PC.

Answer 1

It sounds like you're encountering issues with enabling Automatic Device Encryption due to the PCR7 binding not being supported. Here are a few things to consider based on your setup and the error messages you're receiving:

1. PCR7 Binding Not Possible: This can occur if BitLocker detects that the early boot components are not signed with the Microsoft Windows PCA 2011 certificate. If any other signature is present on boot code, BitLocker will switch to using a different PCR profile (0, 2, 4, 11) instead of 7, 11. This is a common reason for the binding issue.
2. Check Secure Boot State: Ensure that Secure Boot is enabled in your BIOS settings. You mentioned that it is, which is good. However, double-check that there are no custom boot loaders or third-party applications that might interfere with the Secure Boot process.
3. Update Drivers and Firmware: Ensure that your BIOS and chipset drivers are up to date. Sometimes, outdated firmware can cause compatibility issues with TPM and BitLocker.
4. Un-allowed DMA Devices: If there are any detected un-allowed DMA capable devices, this could also prevent automatic device encryption. You may need to check your device manager for any devices that might be flagged and resolve those issues.
5. TPM Configuration: Since you have already cleared and reset the TPM, ensure that it is properly initialized and that there are no pending updates or configurations that need to be applied.

If you've checked all these aspects and the issue persists, you may want to consult with your device manufacturer for further assistance, as they may have specific insights regarding your hardware configuration.

---

References:

• Windows Server shows PCR7 configuration as "Binding not possible"
• BitLocker drive encryption in Windows 11 for OEMs

Answer 2

Hello Marc Leprince,

Welcome to Microsoft Q&A forum. I'm happy to help.

I see that you are trying to enable Device Encryption on your computer. As I see on the message, there is an option that you haven't mentioned, which is Modern Standby and the system detects unallowed DMA devices. Let us try and work on them first.

• Check if your device supports Modern Standby.
  1. Type "Command Prompt" on the search bar and press Enter.
  2. Type powercfg /a and press Enter.
  3. If you see Standby (S0 Low Power Idle), then your device is supported.
• Enable Modern Standby by editing registry. Disclaimer: Generally, modifying registry subkeys or work group is intended for advanced users, administrators, and IT Professionals. It can help fix some problems, however, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For further protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click How to back up and restore the registry in Windows - Microsoft Support to view the article.
  1. Type "regedit" in the search bar and press Enter.
  2. Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Power
  3. Look for "PlatformAoAcOverride", if it doesn't exist, create a new DWORD (32-bit) and name it.
  4. Change the value to 0.
  5. Restart your computer.
• Check for unallowed DMA devices.
  1. Type "Event Viewer" in the search bar and press Enter.
  2. Navigate to Applications and Services Logs > Microsoft > Windows > Bitlocker-API > Management.
  3. Look for any event around the failed check, commonly the event will have an ID of 4122, you can know the instance ID of the devices.
• Change Deep Sleep mode in your BIOS. Disclaimer: Microsoft provides no assurances and/or warranties, implied or otherwise, and is not responsible for the information you receive from the third-party linked sites or any support related to technology. If you are going to modify BIOS Settings, please back up all your personal files first to ensure you do not lose data. This might differ depends on your BIOS interface, if you need assistance, please let me know along with a photo of your BIOS. Please remember to remove all personal information before posting.
  1. Go to your BIOS settings.
  2. Go to ACPI settings (or Power Management, depends on your BIOS).
  3. Change Deep Sleep (or ErP/EuP ready" to Enabled in S4&S5,
  4. Save and exit.

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.