Platform Configuration Register 7 Binding Not Possible Message When Used with TPM and BitLocker
Résumé: Information about Platform Configuration Register (PCR) 7 giving a "PCR 7 binding not possible" message when used with TPM and BitLocker.
Symptômes
Cause
This is working as designed according to Microsoft.
The BIOS extends the certificates for any optional ROMs in the system to determine the value of PCR7. If this value contains a third-party UEFI CA, it does not allow PCR7 and asks for 0,2,4,11 instead. Meaning that any system with a PCI graphics, network, or storage controller that has an OROM that triggers this process and revert to the 0,2,4,11 value. In the configuration of a laptop where the OROM is built into the system BIOS, it does not trigger this procedure and supports PCR7. In the configuration of a system with a PCI graphics card, it triggers this procedure and then go back. The same applies to any computer with a PCI graphics solution or another PCI card with an OROM.
Résolution
PCR7
Microsoft recommends that you use PCR 0,2,4,11.
More information can be found in the following Microsoft knowledge article: Windows Server Shows PCR7 Configuration as "Binding not Possible"
