R730xd, BitLocker, Secure Boot, PCR7 issue

We got in a dozen R730xd servers last year that I am now encrypting with BitLocker. I've done two servers' C:\ drives and got the same problem - BitLocker says it is not using Secure Boot for integrity because issue with PCR7. On both servers (which, btw, boot fine; they do not ask for recovery key):

• R730xd with BIOS version 2.6.0
• TPM Enabled
• TPM Firmware v1.3.0.1
• TPM Advanced Settings: TPM PPI Bypass Clear: Enabled; TPM PPI Bypass Provision: Enabled; SHA256
• Secure Boot: Enabled; Standard Settings
• Legacy Video Disabled
• Windows Server 2016 Standard (GUI not Core) patched to March 22, 2018.
• TPM Management Console says TPM is ready for use.
• Device Manager shows "Trusted Platform Module 2.0" under Security Devices
• MsInfo says Secure Boot ON.
• GPO settings applied as per Exchange team article (except for backing up TPM Ownership info to AD cause W2K16 does not do that, but irrelevant to my issue). https://blogs.technet.microsoft.com/exchange/2015/10/20/enabling-bitlocker-on-exchange-servers/
• BitLocker encrypted C: just fine.
• Recovery Key backed up to AD just fine.
• manage-bde -status shows: Conversion Status: Used Space Only (as per Exchange team article); % Encrypted: 100%; Encryption Method: XTS-AES 256; Protection Status: On; Lock Status: Unlocked; Identification Field: Unknown; Key Protectors: Numerical Password, TPM.

The problem: These events in BitLocker-API Management log after C: encrypted:

• Event 812 (Warning)(twice, 18 minutes apart): BitLocker cannot use Secure Boot for integrity because the UEFI variable 'SecureBoot' could not be read. Error Message: A required privilege is not held by the client.
• Event 815 (Warning): BitLocker cannot use Secure Boot for integrity because the expected TCG Log separator entry is missing or invalid.
• Event 834 (Information): BitLocker determined that the TCG log is invalid for use of Secure Boot. The filtered TCG log for PCR[7] is included in this event.
• Events 815 and 834 repeat together about a few times a day in the two days since encrypting C: (no pattern, e.g. no x hours apart)

In addition, manage-bde -protectors -get %systemdrive% shows TPM PCR Validation Profile: 0, 2, 4, 11 and MsInfo reports "PCR7 Configuration: Binding Not Possible."

Based on posts/articles I found researching BitLocker, Secure Boot, PCR7, I ran the following commands with the following results:

• Confirm-SecureBootUEFI: True
• Get-SecureBootPolicy: 77fa9abd-0359-4d32-bd60-28f4e78f784b Version 1 - this is correct policy, confirms not in manufacturing mode (MSFT article)

I've seen a few other similar posts (Dell and MSFT forums). What is causing issue - how to diagnose, and how to fix? Is it hardware related? (bad motherboards?) or BIOS version (but the version after 2.6.0 included the spectre fix and Intel/Dell said don't install because fix was bad.)

Thanks,

Joan