Start a Conversation



2 Posts


April 1st, 2018 12:00

R730xd, BitLocker, Secure Boot, PCR7 issue

We got in a dozen R730xd servers last year that I am now encrypting with BitLocker. I've done two servers' C:\ drives and got the same problem - BitLocker says it is not using Secure Boot for integrity because issue with PCR7. On both servers (which, btw, boot fine; they do not ask for recovery key):

  • R730xd with BIOS version 2.6.0
  • TPM Enabled
  • TPM Firmware v1.3.0.1
  • TPM Advanced Settings: TPM PPI Bypass Clear: Enabled; TPM PPI Bypass Provision: Enabled; SHA256
  • Secure Boot: Enabled; Standard Settings
  • Legacy Video Disabled
  • Windows Server 2016 Standard (GUI not Core) patched to March 22, 2018.
  • TPM Management Console says TPM is ready for use.
  • Device Manager shows "Trusted Platform Module 2.0" under Security Devices
  • MsInfo says Secure Boot ON.
  • GPO settings applied as per Exchange team article (except for backing up TPM Ownership info to AD cause W2K16 does not do that, but irrelevant to my issue).
  • BitLocker encrypted C: just fine.
  • Recovery Key backed up to AD just fine.
  • manage-bde -status shows: Conversion Status: Used Space Only (as per Exchange team article); % Encrypted: 100%; Encryption Method: XTS-AES 256; Protection Status: On; Lock Status: Unlocked; Identification Field: Unknown; Key Protectors: Numerical Password, TPM.

The problem: These events in BitLocker-API Management log after C: encrypted:

  • Event 812 (Warning)(twice, 18 minutes apart): BitLocker cannot use Secure Boot for integrity because the UEFI variable 'SecureBoot' could not be read. Error Message: A required privilege is not held by the client.
  • Event 815 (Warning): BitLocker cannot use Secure Boot for integrity because the expected TCG Log separator entry is missing or invalid.
  • Event 834 (Information): BitLocker determined that the TCG log is invalid for use of Secure Boot. The filtered TCG log for PCR[7] is included in this event.
  • Events 815 and 834 repeat together about a few times a day in the two days since encrypting C: (no pattern, e.g. no x hours apart)

In addition, manage-bde -protectors -get %systemdrive% shows TPM PCR Validation Profile: 0, 2, 4, 11 and MsInfo reports "PCR7 Configuration: Binding Not Possible."

Based on posts/articles I found researching BitLocker, Secure Boot, PCR7, I ran the following commands with the following results:

  • Confirm-SecureBootUEFI: True
  • Get-SecureBootPolicy: 77fa9abd-0359-4d32-bd60-28f4e78f784b Version 1 - this is correct policy, confirms not in manufacturing mode (MSFT article)

I've seen a few other similar posts (Dell and MSFT forums). What is causing issue - how to diagnose, and how to fix? Is it hardware related? (bad motherboards?) or BIOS version (but the version after 2.6.0 included the spectre fix and Intel/Dell said don't install because fix was bad.)



1 Message

November 15th, 2018 11:00

I've got the same issue. Did you ever find a resolution?

No Events found!