TPM PCR Validation Error causing BitLocker Recovery at Boot
Summary: This article provides information about Trusted Platform Module (TPM) Platform Configuration Register (PCR) Validation Error causing BitLocker Recovery at Boot.
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
TPM PCR Validation Error causing BitLocker Recovery at Boot
GFX card computer does NOT use PCR7 binding and show as Binding not possible (0, 2, 4, 11).
Test Step:
- Boot to Set up
- Enable Secure Boot
- Enable TPM
- Boot to the operating system
- Press Win + R "Cmd" run as administrator.
- Input Command "manage-bde-protectors-get c:"
(Figure 1 - Device Manager)
(Figure 2 - PowerShell)
(Figure 3 - System Information)
Cause
The dGPU (expandable cards) and its OROM/UEFI driver must be signed and measured through TPM PCR7. BIOS 1.6.0 to address the Security Vulnerability by implementing the security mechanism that follows TCG and MSFT’s requirement.
From the TCG side:
https://trustedcomputinggroup.org/wp-content/uploads/TCG_PCClient_PFP_r1p05_v23_pub.pdf
From the Operating System side:
In Microsoft’s own documentation on BitLocker Drive Encryption
BitLocker drive encryption in Windows 10 for OEMs
If the presence of expandable cards (Ex: GFX card) results in OROM UEFI drivers loaded by UEFI BIOS during boot, then BitLocker does NOT use PCR7 binding.
Resolution
Affected Products
Precision 3571, Precision 7560, Precision 7670, Precision 7770Article Properties
Article Number: 000204144
Article Type: Solution
Last Modified: 24 Apr 2025
Version: 5
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.