English Community

Software and Operating SystemEnterprise Client Management
All Forum Topics
Options

7 Posts

04-23-2020

US

7 Signins

30 Page Views

  • Posts: 7
  • Registered: ‎04-23-2020
  • Location: US
  • Views: 30
  • Message 1 of 13

PCR7 errors on all workstations above T470s.

2020-04-23, 16:03 PM

We are trying to transition from using McAfee's encryption on our devices to using Bitlocker managed via WorkSpace One (formerly Airwatch). It rolled out with absolutely no issues on the T470 devices I rolled it out to. When I tried with the T480 device, I got the the following message in the system info for the device:

Device Encryption Support Reasons for failed automatic device encryption: PCR7 binding is not supported, Un-allowed DMA capable bus/device(s)@@I was able to fix the DMA issue by adding the "PCI Express Upstream Switch Port" under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DmaSecurity\AllowedBuses with the appropriate key value. What I can't get working is the PCR7 binding. No matter what I try I still get "PCR7 Configuration Binding Not Possible" on the T480 and T490 models. I'll post the full system info at the bottom. Whenever I try to encrypt it I get the following messages in the event logs for Bitlocker API:

Event 813 - "BitLocker cannot use Secure Boot for integrity because the expected TCG Log entry for variable 'CurrentPolicy' is missing or invalid."
Event 834 - "BitLocker determined that the TCG log is invalid for use of Secure Boot. The filtered TCG log for PCR[7] is included in this event."

I have updated the OS and BIOS. I have ensured that the the TPM module and Secure Boot are enabled in the BIOS. 



MSinfo32 Summary

OS Name Microsoft Windows 10 Pro

Version 10.0.18363 Build 18363

Other OS Description  Not Available

OS Manufacturer Microsoft Corporation

System Name (Removed)

System Manufacturer LENOVO

System Model 20L8S3WT01

System Type x64-based PC

System SKU LENOVO_MT_20L8_BU_Think_FM_ThinkPad T480s

Processor Intel(R) Core(TM) i5-8350U CPU @ 1.70GHz, 1896 Mhz, 4 Core(s), 8 Logical Processor(s)

BIOS Version/Date LENOVO N22ET62W (1.39 ), 2/18/2020

SMBIOS Version 3.0

Embedded Controller Version 1.08

BIOS Mode UEFI

BaseBoard Manufacturer LENOVO

BaseBoard Product 20L8S3WT01

BaseBoard Version SDK0J40697 WIN

Platform Role Mobile

Secure Boot State On

PCR7 Configuration Binding Not Possible

Windows Directory C:\WINDOWS

System Directory C:\WINDOWS\system32

Boot Device \Device\HarddiskVolume1

Locale United States

Hardware Abstraction Layer Version = "10.0.18362.752"

User Name (Removed)

Time Zone Eastern Daylight Time

Installed Physical Memory (RAM) 8.00 GB

Total Physical Memory 7.84 GB

Available Physical Memory 2.89 GB

Total Virtual Memory 11.7 GB

Available Virtual Memory 6.12 GB

Page File Space 3.88 GB

Page File C:\pagefile.sys

Kernel DMA Protection Off

Virtualization-based security Running

Virtualization-based security Required Security Properties  

Virtualization-based security Available Security Properties Base Virtualization Support, Secure Boot, DMA Protection, Secure Memory Overwrite, UEFI Code Readonly, SMM Security Mitigations 1.0, Mode Based Execution Control

Virtualization-based security Services Configured  

Virtualization-based security Services Running  

Device Encryption Support Reasons for failed automatic device encryption: PCR7 binding is not supported

A hypervisor has been detected. Features required for Hyper-V will not be displayed. 

The TPM module appears to be correct:
wmic /namespace:\\root\cimv2\security\microsofttpm path win32_tpm get * /format:list

IsActivated_InitialValue=TRUE
IsEnabled_InitialValue=TRUE
IsOwned_InitialValue=TRUE
ManufacturerId=1229346816
ManufacturerIdTxt=IFX
ManufacturerVersion=7.63.3353.0
ManufacturerVersionFull20=7.63.13.6400
ManufacturerVersionInfo=SLB9670
PhysicalPresenceVersionInfo=1.3
SpecVersion=2.0, 0, 1.16

I've confirmed the SecureBoot both in the system info, manually in the BIOS, and by using the following powershell commands:
PS C:\WINDOWS\system32> Confirm-SecureBootUEFI
True
PS C:\WINDOWS\system32> Get-SecureBootPolicy

Publisher                            Version
---------                            -------
77fa9abd-0359-4d32-bd60-28f4e78f784b       1

Any help would be greatly appreciated.

Solved! See the solution
Reply
Options

6570 Posts

10-29-2009

NC

17672 Signins

162539 Page Views

  • Posts: 6570
  • Registered: ‎10-29-2009
  • Location: NC
  • Views: 162539
  • Message 2 of 13

Re:PCR7 errors on all workstations above T470s.

2020-04-23, 20:17 PM

Let's focus on the T480s at first because I think the reason might be different than the T490s.

 

  1. Do you have any Thunderbolt device connected?
  2. What are the Thunderbolt security settings in BIOS setup?  Does changing them have any effect on the "PCR7 binding not supported" problem?
  3. Have you tried clearing the TPM?
  4. Have you tried loading BIOS default settings?
  5. Do you have any T480s that has never had McAfee's encryption installed, and if so, does this T480s have the same problem?
Reply
Options

7 Posts

04-23-2020

US

7 Signins

30 Page Views

  • Posts: 7
  • Registered: ‎04-23-2020
  • Location: US
  • Views: 30
  • Message 3 of 13

Re:PCR7 errors on all workstations above T470s.

2020-04-24, 18:40 PM

@ someotherguy wrote:
 

 

Let's focus on the T480s at first because I think the reason might be different than the T490s.

 

  1. Do you have any Thunderbolt device connected?
  2. What are the Thunderbolt security settings in BIOS setup?  Does changing them have any effect on the "PCR7 binding not supported" problem?
  3. Have you tried clearing the TPM?
  4. Have you tried loading BIOS default settings?
  5. Do you have any T480s that has never had McAfee's encryption installed, and if so, does this T480s have the same problem?


Probably for the best because that's the test device I have currently.

1: no Thunderbolt devices connected

2: Originally the security level was set to "User Authorization." I just tried the security level set to "No Security," "Secure Connect,", and "Display port and USB" with no changes to the PRC7 configuration status. 

3: One of the first things I tried.

4: Yes, no change.

5: No, everything has had mcafee on it at one point or another. the two T470 models we tested on had it previously and encrypted fine after removing the previous tool.

Reply
Options

6570 Posts

10-29-2009

NC

17672 Signins

162539 Page Views

  • Posts: 6570
  • Registered: ‎10-29-2009
  • Location: NC
  • Views: 162539
  • Message 4 of 13

Re:PCR7 errors on all workstations above T470s.

2020-04-24, 20:14 PM

We checked T480s here and we don't see this problem - we are able to bind with PCR7.  I took a closer look at your msinfo32 output and something jumped out at me.  Although you have latest BIOS, your Embedded Controller version is many versions old.  I don't know if this is the cause of your problem, but there is definitely something wrong with this system if the Embedded Controller is not getting updated by the normal WinUpTp package.  With BIOS version 1.39 (N22ET62W) you should be at Embedded Controller 1.20 (N22HT35W).  How exactly are you updating BIOS on this system?

 

I'll like to get the system updated to BIOS 1.39 AND Embedded Controller 1.20 and then check to see if this problem still happens.

Reply
Options

7 Posts

04-23-2020

US

7 Signins

30 Page Views

  • Posts: 7
  • Registered: ‎04-23-2020
  • Location: US
  • Views: 30
  • Message 5 of 13

Re:PCR7 errors on all workstations above T470s.

2020-04-24, 20:56 PM

I use the Lenovo System Updater for that.

https://pcsupport.lenovo.com/us/en/downloads/ds012808

When I run it on the device now it says that it is up to date.

Reply
Options

6570 Posts

10-29-2009

NC

17672 Signins

162539 Page Views

  • Posts: 6570
  • Registered: ‎10-29-2009
  • Location: NC
  • Views: 162539
  • Message 6 of 13

Re:PCR7 errors on all workstations above T470s.

2020-04-25, 0:27 AM

Do you have another T480s that you can check to see if it's on the latest BIOS and Embedded Controller, and if so, whether PCR7 binding is possible?

Reply
Options

7 Posts

04-23-2020

US

7 Signins

30 Page Views

  • Posts: 7
  • Registered: ‎04-23-2020
  • Location: US
  • Views: 30
  • Message 7 of 13

Re:PCR7 errors on all workstations above T470s.

2020-04-25, 14:25 PM

I had two more coworkers send me their system infos of ftheir t480s. 


====

Item Value  

OS Name Microsoft Windows 10 Pro  

Version 10.0.18363 Build 18363  

Other OS Description  Not Available  

OS Manufacturer Microsoft Corporation  

System Name removed1

System Manufacturer LENOVO  

System Model 20L6S42W00  

System Type x64-based PC  

System SKU LENOVO_MT_20L6_BU_Think_FM_ThinkPad T480  

Processor Intel(R) Core(TM) i7-8650U CPU @ 1.90GHz, 2112 Mhz, 4 Core(s), 8 Logical Processor(s)  

BIOS Version/Date LENOVO N24ET56W (1.31 ), 2/19/2020  

SMBIOS Version 3.0  

Embedded Controller Version 1.20  

BIOS Mode UEFI  

BaseBoard Manufacturer LENOVO  

BaseBoard Product 20L6S42W00  

BaseBoard Version SDK0J40697 WIN  

Platform Role Mobile  

Secure Boot State On  

PCR7 Configuration Binding Not Possible  

Windows Directory C:\WINDOWS  

System Directory C:\WINDOWS\system32  

Boot Device \Device\HarddiskVolume1  

Locale United States  

Hardware Abstraction Layer Version = "10.0.18362.752"  

User Name removed  

Time Zone Central Daylight Time  

Installed Physical Memory (RAM) 16.0 GB  

Total Physical Memory 15.8 GB  

Available Physical Memory 4.12 GB  

Total Virtual Memory 18.2 GB  

Available Virtual Memory 3.87 GB  

Page File Space 2.38 GB  

Page File C:\pagefile.sys  

Kernel DMA Protection Off  

Virtualization-based security Not enabled  

Device Encryption Support Reasons for failed automatic device encryption: PCR7 binding is not supported, Un-allowed DMA capable bus/device(s) detected  

Hyper-V - VM Monitor Mode Extensions Yes  

Hyper-V - Second Level Address Translation Extensions Yes  

Hyper-V - Virtualization Enabled in Firmware Yes  

Hyper-V - Data Execution Protection Yes 

 

 

====

Item Value  

OS Name Microsoft Windows 10 Pro  

Version 10.0.18363 Build 18363  

Other OS Description  Not Available  

OS Manufacturer Microsoft Corporation  

System Name removed2

System Manufacturer LENOVO  

System Model 20L6S42W00  

System Type x64-based PC  

System SKU LENOVO_MT_20L6_BU_Think_FM_ThinkPad T480  

Processor Intel(R) Core(TM) i7-8650U CPU @ 1.90GHz, 2112 Mhz, 4 Core(s), 8 Logical Processor(s)  

BIOS Version/Date LENOVO N24ET55W (1.30 ), 1/11/2020  

SMBIOS Version 3.0  

Embedded Controller Version 1.20  

BIOS Mode UEFI  

BaseBoard Manufacturer LENOVO  

BaseBoard Product 20L6S42W00  

BaseBoard Version SDK0J40697 WIN  

Platform Role Mobile  

Secure Boot State On  

PCR7 Configuration Binding Not Possible  

Windows Directory C:\WINDOWS  

System Directory C:\WINDOWS\system32  

Boot Device \Device\HarddiskVolume1  

Locale United States  

Hardware Abstraction Layer Version = "10.0.18362.752"  

User Name removed2  

Time Zone Eastern Daylight Time  

Installed Physical Memory (RAM) 16.0 GB  

Total Physical Memory 15.8 GB  

Available Physical Memory 8.39 GB  

Total Virtual Memory 18.2 GB  

Available Virtual Memory 7.90 GB  

Page File Space 2.38 GB  

Page File C:\pagefile.sys  

Kernel DMA Protection Off  

Virtualization-based security Running  

Virtualization-based security Required Security Properties  

Virtualization-based security Available Security Properties Base Virtualization Support, Secure Boot, DMA Protection, Secure Memory Overwrite, UEFI Code Readonly, SMM Security Mitigations 1.0, Mode Based Execution Control  

Virtualization-based security Services Configured  

Virtualization-based security Services Running  

Device Encryption Support Reasons for failed automatic device encryption: PCR7 binding is not supported, Un-allowed DMA capable bus/device(s) detected  

A hypervisor has been detected. Features required for Hyper-V will not be displayed.  

 

====


Their embedded controller seems to be higher. They still have the DMA bus issue because we haven't added the "PCI Express Upstream Switch Port" to the DMA allowed busses yet as they are waiting until I figure out the PCR7 issue. 

Reply
Options

6570 Posts

10-29-2009

NC

17672 Signins

162539 Page Views

  • Posts: 6570
  • Registered: ‎10-29-2009
  • Location: NC
  • Views: 162539
  • Message 8 of 13

Re:PCR7 errors on all workstations above T470s.

2020-04-27, 1:06 AM

Since we don't see it here, the only other thing I can suggest is to try a clean installation of Win10 (not your corporate image).  You don't need any drivers or anything else... see what happens.  From the forum, I'm not really able to help debug problems that I can't reproduce.  If you need further assistance you may need to ask your account rep about opening a support case.

Reply
Options

7 Posts

04-23-2020

US

7 Signins

30 Page Views

  • Posts: 7
  • Registered: ‎04-23-2020
  • Location: US
  • Views: 30
  • Message 9 of 13

Re:PCR7 errors on all workstations above T470s.

2020-04-27, 16:31 PM

Thank you for your help. When I email our rep, he said to come here. I can't pave my test device right now as our office is closed and I could not image it back to standard to keep troubleshooting even if that does say our image is wrong.  If it is our image I have to find what is wrong so I can fix it going forward and develope a way to fix it in place for the hundreds of devices that are using the broken image. 

If I can figure it out, I will post what the solution was here in case someone else starts having the same issue. 

Side question, how do you recommend to update the BIOS if the Lenovo System Updater is missing the embedded controller update?

Reply
Options

6570 Posts

10-29-2009

NC

17672 Signins

162539 Page Views

  • Posts: 6570
  • Registered: ‎10-29-2009
  • Location: NC
  • Views: 162539
  • Message 10 of 13

Re:PCR7 errors on all workstations above T470s.

2020-04-27, 17:18 PM

Re-imaging the device will probably be the first thing that the support team will want to do, to rule out at software problem.  If that works, I agree that it's important to find out why your image has this problem, but it may become more of a Microsoft question at that point.  I haven't heard any other customer reporting this kind of problem with PCR7 and I also searched through our case database.  Have you checked in Safe Mode?  According to my quick test here, msinfo32 still works in Safe Mode and my system is showing "binding possible" (same as within full Windows).

 

 

System Update should be updating both the BIOS and the EC firmware together, though I have heard of an isolated case like yours once before.  System Update uses WinUpTp.exe (same as from the support website) where BIOS + EC are packaged together.  But just as a test, try another update using n22uj22w.exe from the support website.  (We know now that this isn't your problem with PCR7 since you found other machines that are already on latest BIOS + EC)

 

https://pcsupport.lenovo.com/ch/en/products/laptops-and-netbooks/thinkpad-t-series-laptops/thinkpad-t480s-type-20l7-20l8/downloads/DS502226

 

Reply
Forum Home

Community Guidelines

Please review our Guidelines before posting.

Learn More

Check out current deals!

Go Shop
X

Save

X

Delete