Skip to main content
Start a Conversation

Solved!

Go to Solution

yohohoho

1 Rookie

 • 

4 Posts

8187

October 8th, 2023 23:36

Device Encryption missing due to "PCR7 Configuration Binding Not Possible" Error

XPS 15 7590

XPS 15 7590

I would like to use the built-in device encryption that comes with Windows 11 Home, but it is not enabled. In System Information, I see these 2 entries:

PCR7 Configuration: Binding Not Possible
Device Encryption Support Reasons for failed automatic device encryption: PCR7 binding is not supported

In the Event Viewer, I see these error messages:

Microsoft-Windows-BitLocker-API/Management

Event ID: 835

BitLocker cannot use Secure Boot for integrity because the expected TCG Log entry for the OS Loader Authority has invalid structure.

The event is expected to be an EV_EFI_VARIABLE_AUTHORITY event. The event data must be formatted as an EFI_VARIABLE_DATA structure with VariableName set to EFI_IMAGE_SECURITY_DATABASEGUID and UnicodeName set to 'db'.

Microsoft-Windows-BitLocker-API/Management

Event ID: 834

BitLocker determined that the TCG log is invalid for use of Secure Boot. The filtered TCG log for PCR[7] is included in this event.

How do I resolve this binding error on my device?

yohohoho

1 Rookie

 • 

4 Posts

October 10th, 2023 04:36

Follow up: I managed to resolve this!

A while back, I tried to install WSL on my computer, and kept running into error screens on start up. I had to disable a setting in my BIOS: the "VT for Direct IO" option in the Virtualization sub-menu.

After the fresh install of Windows, I reset my BIOS, but I unchecked that box again to match my old settings.

Apparently unchecking that box adds something to the Secure Boot such that it prevents proper binding of PCR7. Once I re-enabled that checkbox in my BIOS, the PCR7 bindings were fixed, and device encryption turned on! WSL even works just fine.

(edited)

DELL-Jesse L

Moderator

 • 

17.8K Posts

October 9th, 2023 10:58

yohohoho,

To receive assistance from Dell chat support, they need to verify the warranty status and ownership. Then you must troubleshoot with them.  Click the "Get Help Now" icon on the right to start a live chat session. If already out of warranty, click here for the Dell out of warranty offering.

ejn63

10 Elder

 • 

30K Posts

October 9th, 2023 11:00

Make sure the system is in UEFI mode (not legacy/CSM) and that secure boot is enabled -- both of those are required.

yohohoho

1 Rookie

 • 

4 Posts

October 10th, 2023 03:28

@ejn63 I have all of the prerequisites for Device Encryption setup and enabled on my system:

My system supports Modern Standby:

> powercfg /a
The following sleep states are available on this system:
    Standby (S0 Low Power Idle) Network Connected
    Hibernate
    Fast Startup

It is a UEFI BIOS

> Confirm-SecureBootUEFI
True

The TPM is set up:

Secure Boot is Enabled:

I recently did a clean install of Windows 11 (formatted drive) and did a factory restore of the BIOS as well.
From what I've read about this, it seems to be caused by BIOS settings or firmware (which Dell provides for this model). I'd like to know from Dell if the XPS 15 7590 actually supports device encryption and if they have implemented it correctly.

RMG28

1 Message

October 13th, 2023 15:09

Hello could you explain a bit in detail this part?

" Apparently checking that box adds something to the Secure Boot such that it prevents proper binding of PCR7. Once I re-enabled that checkbox in my BIOS, the PCR7 bindings were fixed, and device encryption turned on! WSL even works just fine."

We are facing the same issue for aprox 20 devices

We have checked everything, 

UEFI- enabled

TPM- 2.0 active

Secure boot- enabled

Disk - GPT

modern standby- enabled

Suspended protectors and re-enabled

Deleted protectors and re-add

Only cleaning the TPM didn t try

The next plan of action is the following: Factory reset > BIOS reset> cleaning the TPM

The question is, after you have re-imaged the PC and run the BIOS reset, the "VT for Direct IO" option you keep it as default? I know  the default configuration is "enabled", you said you have disabled it, at the end you choose to enabled it back? or keep it disabled?

yohohoho

1 Rookie

 • 

4 Posts

October 13th, 2023 21:22

@RMG28 

I'll explain the part you asked about and also point you to some resources to fix the "Un-allowed DMA capable bus/devices detected" issue as well.
First, to explain this part:
"Apparently checking the "VT for Direct IO" option box adds something to the Secure Boot such that it prevents proper binding of PCR7. Once I re-enabled that checkbox in my BIOS, the PCR7 bindings were fixed, and device encryption turned on!"

This is a very high-level explanation about the Secure Boot process:
  • During Secure Boot, a number of events happen and are logged to TCG logs.
  • These events happen in a specific order and they have to be logged with a specific structure. All of these are based on a published tech specification, so any BIOS/hardware manufacturer needs to follow them in order to make their machines work with Windows
  • PCR7 binding is tested by taking measurements in these logs. Literally the hardware will check that a specific event is logged X number of bytes into the logs and query its data
  • If the hardware finds all of the expected logs in the correct place and with the correct size, it will make PCR7 binding possible
Why that BIOS setting prevented PCR7 binding:
  • When I disabled the "VT for Direct IO" option in my BIOS, an additional log was added to the TCG logs
  • This additional log disrupted the expected order and length of logs, so PCR7 was determined to be un-bindable
How I debugged this issue:
I used these powershell scripts to query the logs: https://github.com/mattifestation/TCGLogTools

If you download those scripts, you can create a powershell script (for example: create-logs.ps1) in the same directory with these contents: 

Import-Module .\TCGLogTools.psm1

ConvertTo-TCGEventLog -LogBytes (Get-TCGLogContent -LogType SRTMBoot) -MinimizedX509CertInfo 
  | ConvertTo-Json -Depth 8 | Out-File 'TCGlog.json'

Run the script in powershell, and it will generate your TCG logs in a JSON file.

In my case, this is what the logs had for PCR7 near the end: 

...PCR7: [    
{
        "EventType": "EV_SEPARATOR",
        ...
    },
    {
        "EventType": "EV_EFI_ACTION",
        ...
        "Event": "DMA Protection Disabled"
    },
    {
        "EventType": "EV_EFI_VARIABLE_AUTHORITY",
        ...
}]
...

If you refer back to the original post for this, you'll note the EventViewer logs mention that an EV_EFI_VARIABLE_AUTHORITY event was expected after the EV_SEPARATOR event, but there is an EV_EFI_ACTION instead. This is what I was talking about early with the logs needing to be in an exact order. I traced the Event data back to the BIOS setting with a Google search.

When enabled "VT for Direct IO" in the BIOS again, my logs looked like this: 

...PCR7: [    
{
        "EventType": "EV_SEPARATOR",
        ...
    },
    {
        "EventType": "EV_EFI_VARIABLE_AUTHORITY",
        ...
}]
...

Note the EV_EFI_ACTION was gone, and PCR7 binding was now possible.

You may or may not have the same issue, but looking at the logs and reading the EventViewer logs for BitLocker might help you narrow down the problem. It might be a BIOS setting you need to adjust.

In summary:
  • The default for the "VT for Direct IO" option in the BIOS is enabled
  • I had disabled it and this prevented PCR7 binding
  • After I enabled it, PCR7 binding was made possible and device encryption turned on
----------------

For the "Un-allowed DMA capable" issue, this explains how to whitelist those:
  • To find the problematic devices: https://superuser.com/a/1737561
  • To update the registry and whitelist those devices: https://superuser.com/a/1446556 (start from Whitelist the Devices)

(edited)

Gilles.P

1 Rookie

 • 

47 Posts

June 27th, 2025 14:29

On my brand-new Tower Plus EBT2250 I'm also facing the same issue but in my case,  "VT for Direct IO" is set in the BIOS.

Was this post helpful?

View All

No Events found!

Top