A while back, I tried to install WSL on my computer, and kept running into error screens on start up. I had to disable a setting in my BIOS: the "VT for Direct IO" option in the Virtualization sub-menu.
After the fresh install of Windows, I reset my BIOS, but I unchecked that box again to match my old settings.
Apparently unchecking that box adds something to the Secure Boot such that it prevents proper binding of PCR7. Once I re-enabled that checkbox in my BIOS, the PCR7 bindings were fixed, and device encryption turned on! WSL even works just fine.
To receive assistance from Dell chat support, they need to verify the warranty status and ownership. Then you must troubleshoot with them. Click the "Get Help Now" icon on the right to start a live chat session. If already out of warranty, click here for the Dell out of warranty offering.
@ejn63 I have all of the prerequisites for Device Encryption setup and enabled on my system:
My system supports Modern Standby:
> powercfg /a The following sleep states are available on this system: Standby (S0 Low Power Idle) Network Connected Hibernate Fast Startup
It is a UEFI BIOS
> Confirm-SecureBootUEFI True
The TPM is set up:
Secure Boot is Enabled:
I recently did a clean install of Windows 11 (formatted drive) and did a factory restore of the BIOS as well.
From what I've read about this, it seems to be caused by BIOS settings or firmware (which Dell provides for this model). I'd like to know from Dell if the XPS 15 7590 actually supports device encryption and if they have implemented it correctly.
Hello could you explain a bit in detail this part?
" Apparently checking that box adds something to the Secure Boot such that it prevents proper binding of PCR7. Once I re-enabled that checkbox in my BIOS, the PCR7 bindings were fixed, and device encryption turned on! WSL even works just fine."
We are facing the same issue for aprox 20 devices
We have checked everything,
UEFI- enabled
TPM- 2.0 active
Secure boot- enabled
Disk - GPT
modern standby- enabled
Suspended protectors and re-enabled
Deleted protectors and re-add
Only cleaning the TPM didn t try
The next plan of action is the following: Factory reset > BIOS reset> cleaning the TPM
The question is, after you have re-imaged the PC and run the BIOS reset, the "VT for Direct IO" option you keep it as default? I know the default configuration is "enabled", you said you have disabled it, at the end you choose to enabled it back? or keep it disabled?
I'll explain the part you asked about and also point you to some resources to fix the "Un-allowed DMA capable bus/devices detected" issue as well.
First, to explain this part:
"Apparently checking the "VT for Direct IO" option box adds something to the Secure Boot such that it prevents proper binding of PCR7. Once I re-enabled that checkbox in my BIOS, the PCR7 bindings were fixed, and device encryption turned on!"
This is a very high-level explanation about the Secure Boot process:
During Secure Boot, a number of events happen and are logged to TCG logs.
These events happen in a specific order and they have to be logged with a specific structure. All of these are based on a published tech specification, so any BIOS/hardware manufacturer needs to follow them in order to make their machines work with Windows
PCR7 binding is tested by taking measurements in these logs. Literally the hardware will check that a specific event is logged X number of bytes into the logs and query its data
If the hardware finds all of the expected logs in the correct place and with the correct size, it will make PCR7 binding possible
Why that BIOS setting prevented PCR7 binding:
When I disabled the "VT for Direct IO" option in my BIOS, an additional log was added to the TCG logs
This additional log disrupted the expected order and length of logs, so PCR7 was determined to be un-bindable
How I debugged this issue:
I used these powershell scripts to query the logs: https://github.com/mattifestation/TCGLogTools
If you download those scripts, you can create a powershell script (for example: create-logs.ps1) in the same directory with these contents:
If you refer back to the original post for this, you'll note the EventViewer logs mention that an EV_EFI_VARIABLE_AUTHORITY event was expected after the EV_SEPARATOR event, but there is an EV_EFI_ACTION instead. This is what I was talking about early with the logs needing to be in an exact order. I traced the Event data back to the BIOS setting with a Google search.
When enabled "VT for Direct IO" in the BIOS again, my logs looked like this:
Note the EV_EFI_ACTION was gone, and PCR7 binding was now possible.
You may or may not have the same issue, but looking at the logs and reading the EventViewer logs for BitLocker might help you narrow down the problem. It might be a BIOS setting you need to adjust.
In summary:
The default for the "VT for Direct IO" option in the BIOS is enabled
I had disabled it and this prevented PCR7 binding
After I enabled it, PCR7 binding was made possible and device encryption turned on
----------------
For the "Un-allowed DMA capable" issue, this explains how to whitelist those:
To find the problematic devices: https://superuser.com/a/1737561
To update the registry and whitelist those devices: https://superuser.com/a/1446556 (start from Whitelist the Devices)
@Gilles.P I have the same problem on my brand new EBT2250 as well.
Were you able to resolve on your end?
I see the following on the system:
Event Viewer for Bitlocker-API
Information Microsoft-Windows-BitLocker-API 893 None
BitLocker determined that the TCG log is invalid for use of Secure Boot. The filtered TCG log for PCR[7] is included in this event.
Warning Microsoft-Windows-BitLocker-API 813 None
BitLocker cannot use Secure Boot for integrity because the expected TCG Log entry for variable 'CurrentPolicy' is missing or invalid.
Information Microsoft-Windows-BitLocker-API 881 None
The signature contained in the EFI_SIGNATURE_DATA structure from the TCG Log OS Loader Authority event could not be found in the verified certificate chain for the boot manager.
System Information Related Details
OS Name Microsoft Windows 11 Home Version 10.0.26200 Build 26200 Other OS Description Not Available OS Manufacturer Microsoft Corporation System Name XYZ System Manufacturer Dell Inc. System Model Dell Tower Plus EBT2250 System Type x64-based PC System SKU 0CD8 Processor Intel(R) Core(TM) Ultra 7 265K, 3900 Mhz, 20 Core(s), 20 Logical Processor(s) BIOS Version/Date Dell Inc. 1.13.0, 1/7/2026 SMBIOS Version 3.8 Embedded Controller Version 1.04 BIOS Mode UEFI BaseBoard Manufacturer Dell Inc. BaseBoard Product 02D3NT BaseBoard Version A00 Platform Role Desktop Secure Boot State On PCR7 Configuration Binding Not Possible Windows Directory C:\WINDOWS System Directory C:\WINDOWS\system32 Boot Device \Device\HarddiskVolume3 Locale United States Hardware Abstraction Layer Version = "10.0.26100.1" User Name XYZ\user Time Zone Eastern Standard Time Installed Physical Memory (RAM) 32.0 GB Total Physical Memory 31.5 GB Available Physical Memory 17.8 GB Total Virtual Memory 36.5 GB Available Virtual Memory 18.7 GB Page File Space 5.00 GB Page File C:\pagefile.sys Kernel DMA Protection On Virtualization-based security Running Virtualization-based security Required Security Properties Base Virtualization Support Virtualization-based security Available Security Properties Base Virtualization Support, Secure Boot, DMA Protection, Secure Memory Overwrite, UEFI Code Readonly, SMM Security Mitigations 1.0, Mode Based Execution Control, APIC Virtualization Virtualization-based security Services Configured Hypervisor enforced Code Integrity Virtualization-based security Services Running Hypervisor enforced Code Integrity App Control for Business policy Enforced App Control for Business user mode policy Audit Automatic Device Encryption Support Reasons for failed automatic device encryption: PCR7 binding is not supported, Un-allowed DMA capable bus/device(s) detected A hypervisor has been detected. Features required for Hyper-V will not be displayed.
I've tried many things to no avail.
At this point I'm suspecting Dell needs to update the firmware to be compatible.
Yep. Just got a new EBT2250 and same problem as above. Don't understand why the PC cannot be shipped to be working with disk encryption. This should be a standard feature for 2026 (need to protect our data). Agree hoping Dell can do something...
The solution is to spend $99 and upgrade to Windows 11 Pro. Then can use bitlocker directly and encrypt the main drive.
I chatted with Dell customer support and said the PC was working as "expected" and did not have a solution (see message below). The addition of a graphics card caused the PCR value to not match the expected one, and so could not be used. Still looks like a Dell issue that they should solve, but for $99 (and wanted bitlocker for external drives), well worth the investment and able to move forward.
Actual message:
"Hope you are doing good, as checked the details with our engineering team the system BIOS evaluates certificates contained within optional ROMs—such as those used by PCI graphics cards, network adapters, or storage controllers—to determine whether PCR7 can be utilized. If a third party certificate is detected, PCR7 cannot be enabled, and the system automatically falls back to using PCR 0, 2, 4, and 11. Systems equipped with PCI add on cards that include their own independent firmware may trigger this fallback behavior. This is expected and operates according to design specifications."
yohohoho
1 Rookie
•
4 Posts
1
October 10th, 2023 04:36
Follow up: I managed to resolve this!
A while back, I tried to install WSL on my computer, and kept running into error screens on start up. I had to disable a setting in my BIOS: the "VT for Direct IO" option in the Virtualization sub-menu.
After the fresh install of Windows, I reset my BIOS, but I unchecked that box again to match my old settings.
Apparently unchecking that box adds something to the Secure Boot such that it prevents proper binding of PCR7. Once I re-enabled that checkbox in my BIOS, the PCR7 bindings were fixed, and device encryption turned on! WSL even works just fine.
(edited)
DELL-Jesse L
Moderator
•
17.9K Posts
0
October 9th, 2023 10:58
yohohoho,
To receive assistance from Dell chat support, they need to verify the warranty status and ownership. Then you must troubleshoot with them. Click the "Get Help Now" icon on the right to start a live chat session. If already out of warranty, click here for the Dell out of warranty offering.
ejn63
10 Elder
•
30.5K Posts
0
October 9th, 2023 11:00
Make sure the system is in UEFI mode (not legacy/CSM) and that secure boot is enabled -- both of those are required.
yohohoho
1 Rookie
•
4 Posts
0
October 10th, 2023 03:28
@ejn63 I have all of the prerequisites for Device Encryption setup and enabled on my system:
My system supports Modern Standby:
> powercfg /a
The following sleep states are available on this system:
Standby (S0 Low Power Idle) Network Connected
Hibernate
Fast Startup
It is a UEFI BIOS
> Confirm-SecureBootUEFI
True
The TPM is set up:
Secure Boot is Enabled:
RMG28
1 Message
0
October 13th, 2023 15:09
Hello could you explain a bit in detail this part?
" Apparently checking that box adds something to the Secure Boot such that it prevents proper binding of PCR7. Once I re-enabled that checkbox in my BIOS, the PCR7 bindings were fixed, and device encryption turned on! WSL even works just fine."
We are facing the same issue for aprox 20 devices
We have checked everything,
UEFI- enabled
TPM- 2.0 active
Secure boot- enabled
Disk - GPT
modern standby- enabled
Suspended protectors and re-enabled
Deleted protectors and re-add
Only cleaning the TPM didn t try
The next plan of action is the following: Factory reset > BIOS reset> cleaning the TPM
The question is, after you have re-imaged the PC and run the BIOS reset, the "VT for Direct IO" option you keep it as default? I know the default configuration is "enabled", you said you have disabled it, at the end you choose to enabled it back? or keep it disabled?
yohohoho
1 Rookie
•
4 Posts
2
October 13th, 2023 21:22
@RMG28
(edited)
Gilles.P
1 Rookie
•
48 Posts
1
June 27th, 2025 14:29
On my brand-new Tower Plus EBT2250 I'm also facing the same issue but in my case, "VT for Direct IO" is set in the BIOS.
ks04
1 Rookie
•
3 Posts
0
February 23rd, 2026 15:46
@Gilles.P I have the same problem on my brand new EBT2250 as well.
Were you able to resolve on your end?
I see the following on the system:
Event Viewer for Bitlocker-API
System Information Related Details
OS Name Microsoft Windows 11 Home
Version 10.0.26200 Build 26200
Other OS Description Not Available
OS Manufacturer Microsoft Corporation
System Name XYZ
System Manufacturer Dell Inc.
System Model Dell Tower Plus EBT2250
System Type x64-based PC
System SKU 0CD8
Processor Intel(R) Core(TM) Ultra 7 265K, 3900 Mhz, 20 Core(s), 20 Logical Processor(s)
BIOS Version/Date Dell Inc. 1.13.0, 1/7/2026
SMBIOS Version 3.8
Embedded Controller Version 1.04
BIOS Mode UEFI
BaseBoard Manufacturer Dell Inc.
BaseBoard Product 02D3NT
BaseBoard Version A00
Platform Role Desktop
Secure Boot State On
PCR7 Configuration Binding Not Possible
Windows Directory C:\WINDOWS
System Directory C:\WINDOWS\system32
Boot Device \Device\HarddiskVolume3
Locale United States
Hardware Abstraction Layer Version = "10.0.26100.1"
User Name XYZ\user
Time Zone Eastern Standard Time
Installed Physical Memory (RAM) 32.0 GB
Total Physical Memory 31.5 GB
Available Physical Memory 17.8 GB
Total Virtual Memory 36.5 GB
Available Virtual Memory 18.7 GB
Page File Space 5.00 GB
Page File C:\pagefile.sys
Kernel DMA Protection On
Virtualization-based security Running
Virtualization-based security Required Security Properties Base Virtualization Support
Virtualization-based security Available Security Properties Base Virtualization Support, Secure Boot, DMA Protection, Secure Memory Overwrite, UEFI Code Readonly, SMM Security Mitigations 1.0, Mode Based Execution Control, APIC Virtualization
Virtualization-based security Services Configured Hypervisor enforced Code Integrity
Virtualization-based security Services Running Hypervisor enforced Code Integrity
App Control for Business policy Enforced
App Control for Business user mode policy Audit
Automatic Device Encryption Support Reasons for failed automatic device encryption: PCR7 binding is not supported, Un-allowed DMA capable bus/device(s) detected
A hypervisor has been detected. Features required for Hyper-V will not be displayed.
I've tried many things to no avail.
At this point I'm suspecting Dell needs to update the firmware to be compatible.
So I'll wait for the next release.
Gilles.P
1 Rookie
•
48 Posts
0
February 23rd, 2026 15:57
@ks04
Unfortunately not.
Note that I've missed the "accepted solution" post notification.
Have you tried it ?
ks04
1 Rookie
•
3 Posts
1
February 23rd, 2026 16:03
@Gilles.P
Same situation as yourself, "VT for Direct IO" was and is already enabled. :(
Let's hope Dell can do something for us here.
DellLongTimeUser
1 Rookie
•
2 Posts
1
February 24th, 2026 08:21
Yep. Just got a new EBT2250 and same problem as above. Don't understand why the PC cannot be shipped to be working with disk encryption. This should be a standard feature for 2026 (need to protect our data). Agree hoping Dell can do something...
DellLongTimeUser
1 Rookie
•
2 Posts
0
February 27th, 2026 08:09
The solution is to spend $99 and upgrade to Windows 11 Pro. Then can use bitlocker directly and encrypt the main drive.
I chatted with Dell customer support and said the PC was working as "expected" and did not have a solution (see message below). The addition of a graphics card caused the PCR value to not match the expected one, and so could not be used. Still looks like a Dell issue that they should solve, but for $99 (and wanted bitlocker for external drives), well worth the investment and able to move forward.
Actual message:
"Hope you are doing good, as checked the details with our engineering team the system BIOS evaluates certificates contained within optional ROMs—such as those used by PCI graphics cards, network adapters, or storage controllers—to determine whether PCR7 can be utilized. If a third party certificate is detected, PCR7 cannot be enabled, and the system automatically falls back to using PCR 0, 2, 4, and 11. Systems equipped with PCI add on cards that include their own independent firmware may trigger this fallback behavior. This is expected and operates according to design specifications."