7 Posts
0
8902
Aurora R12, Secure Boot fails, PCR7 Binding not possible
Similar to this Latitude topic.
MS Intune service (MDM service we are using) reports that the Secure Boot is not enabled for this PC, although it looks enabled in BIOS and Windows Security Center.
After digging into it, System Information shows that
PCR7 Configuration: Binding Not Possible.
Device Encryption Support: Reasons for failed automatic device encryption: PCR7 binding is not supported, Un-allowed DMA capable bus/device(s) detected.
And in Event Manager, Event ID 813 can be observed in the log Microsoft-Windows-BitLocker-API/Management:
BitLocker cannot use Secure Boot for integrity because the expected TCG Log entry for variable 'SecureBoot' is missing or invalid.
And Event ID 834:
BitLocker determined that the TCG log is invalid for use of Secure Boot. The filtered TCG log for PCR[7] is included in this event.
Tried resetting the PC, as well as reinstalling Windows via OS recovery tool, issue still persists.
This usually related to BIOS or TPM firmware issue. It's the same on 3 of my Aurora R12, other OptiPlex and Latitude device has no such issue.
Please provide solution for it, we desperately need it working as these PC needs to be managed by Intune. Thanks.
Jacky L
7 Posts
0
July 13th, 2021 22:00
Got the final answer from Dell's Community Support, for those who might be following this thread.
Simply put, the issue that
Which prevents from reporting the Secure Boot status correctly to MDM solutions such as Intune.
Both are by design.
Quote from Dell Community Support:
I have further express my feeling that other DIY motherboards can get it working, can't you just "fix" it in your BIOS/firmware?
They told me
So that's the end, I would like to purchase business class product like OptiPlex or Precision, however these model doesn't offer RTX 3070 that I need to use in my application (Can't use Quadro series).
Vanadiel
6 Professor
6 Professor
•
6.2K Posts
0
June 24th, 2021 03:00
I have this on my R10 at version 2.0. I think you have to make sure to use the chipset drivers from Intel directly, as I use the chipset drivers from AMD rather than the DELL version. They might be the same, I am not sure.
speedstep
9 Legend
9 Legend
•
47K Posts
0
June 24th, 2021 04:00
INTEL PTT replaces TPM but I dont know of an AMD equivalent.
Intel PTT is basically the firmware alternative to a the hardware based TPM.
Thats why my B450M PRO 4 board has physical TPM header.
TPM is an optional feature in regular implementation
AMD doesn't seem to publish which processors support fTPM via BIOS update. I couldn't find any list.
I suggest you all open a AMD Service Request (Official AMD SUPPORT) and ask them which AMD's new 5000 series processor has BIOS support for fTPM from here : https://www.amd.com/en/support/contact-email-form
I do know that if a Motherboard has a hardware TPM port you don't need to have fTPM via CPU to run that feature. But if a Motherboard doesn't have a TPM Port then you will need to use fTPM via CPU to run that feature.
Jacky L
7 Posts
0
June 24th, 2021 05:00
I understand it doesn't mention in spec, but
Does this mean TPM exists on my system?
speedstep
9 Legend
9 Legend
•
47K Posts
0
June 24th, 2021 06:00
PTT is INTEL not AMD
Intel PTT is basically the firmware alternative to a the hardware based TPM.
"The system shows TPM is ready"
What model Dell aka what does motherboard tab of CPU-Z say?
TPM is not available in embargo'd countries.
In general TPM is an option. Especially with game systems.
The SKINIT instruction writes the contents of the SLB to an address that is redirected into the TPM via the _Hash_Init, _Hash_Start, and _Hash_End signals. These signals measure the contents of the SLB into PCR 17.
r72019
6 Professor
6 Professor
•
5.3K Posts
1
June 24th, 2021 10:00
"I suggest you all open a AMD Service Request (Official AMD SUPPORT) and ask them which AMD's new 5000 series processor has BIOS support for fTPM from here :"
Note, R12 is Intel.
Jacky L
7 Posts
0
June 25th, 2021 00:00
I'm pretty sure I'm not in those countries.
I know usually only OEM/ODM can answer it.
My question was is "PCR7 not possible to bind" an OEM/ODM BIOS issue? PCR 7 sector seems to be manufacturer controlled.
If it is caused by faulty BIOS from Dell, they should fix it.
Let me provide screenshot as an additional info, this forum system didn't allow me to upload images when I start the topic.
Clearly shows that TPM (PPT) exists in the system.
According to the KB article published by Dell, this device should have TPM/PPT.
So due to PCR 7 issue, BitLocker cannot use Secure Boot for integrity. Result in error for managing the PC with MS Intune which will indicate Secure Boot not enabled.
Does anyone know how to fix it? Or it's Dell issue?
speedstep
9 Legend
9 Legend
•
47K Posts
0
June 25th, 2021 04:00
@r72019
R12 has INTEL PTT under Security Tab instead of Discrete TPM. Must be turned on.
That wont be the case for embargo'd countries however . Exporting Dell Computers or Software or TPM or PTT to these countries is a Felony under federal law.
Cuba.
Iraq.
North Korea.
Russian industry sector sanctions.
Crimea region of Ukraine.
Iran.
Syria.
Any authority granted to the President by section 1702 of this title may be exercised to deal with any unusual and extraordinary threat, which has its source in whole or substantial part outside the United States, to the national security, foreign policy, or economy of the United States,
Export Administration BXA is now BIS
https://www.bis.doc.gov/
https://www.bis.doc.gov/index.php/documents/regulation-docs/420-part-746-embargoes-and-other-special-controls/file
https://www.law.cornell.edu/cfr/text/15/part-746
Also found that AMD calls this Bios Firmware Addition Pro Security.
https://www.amd.com/en/ryzen-pro
https://www.amd.com/en/technologies/pro-security
https://www.amd.com/system/files/documents/pro-security.pdf
PTT TPM 2.0 has been in INTEL since 4th GEN haswell Windows 8 machines since 2012
https://www.intel.com/content/dam/www/public/us/en/documents/product-briefs/4th-gen-core-family-mobile-brief.pdf
https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/enterprise-security-platform-trust-technology-white-paper.pdf
Wont be anything in F2 BIOS about TPM options but will have PTT Security settings under security tab.
https://www.dell.com/support/kbdoc/en-us/000103639/
speedstep
9 Legend
9 Legend
•
47K Posts
0
June 25th, 2021 05:00
Dell systems like the R12 do not ship with a TPM(Trusted Platform Module) hardware module, and instead, use PTT (Platform Trust Technology). PTT is a lower-cost solution that supports the same functions of the TPM 2.0
What Dell model computers have a TPM / Intel PTT?
https://www.dell.com/support/kbdoc/en-us/000103639/
Jacky L
7 Posts
0
June 25th, 2021 05:00
I already said it doesn't matter either it's PTT or TPM, PCR7 binding is not working is the issue...
Clearly TPM/PTT server no difference in this case, as long as one of them exists.
By the way, do you own R12 as well? Is the bottom screenshot from System Information? What's your value for PCR7 Configuration item?
Vanadiel
6 Professor
6 Professor
•
6.2K Posts
0
July 14th, 2021 09:00
I looked into this a little bit myself because of pending windows 11 requirements.
PCR7 binding has to do with encryption of devices.
There are 2 ways of encrypting devices under windows 10:
1. TPM based encryption of all devices.
2. Bitlocker encryption of selected devices.
It looks like #1 is not supported, hence the error.
Jacky L
7 Posts
0
July 15th, 2021 00:00
Right, I can't believe they offer TPM but leave the spec not 100% functional zzz