TPM PCR7 binding fails due to a bios bug that break TCG (msi b550 gen 3 and all amd motherboards)

smalllll_8

New member
Joined
Aug 6, 2019
Messages
2
Windows 24h2

BitLocker-API events from eventvwr report that "BitLocker determined that the TCG log is invalid for use of Secure Boot. " and also "BitLocker cannot use Secure Boot for integrity because the expected TCG Log separator entry is missing or invalid."

1.jpg



I am using latest bios. Already tried resetting secure boot keys, clearing tpm.

TCG is invalid and that makes PCR7 unusable. This bug exist in msi motherboards.

BitLocker only accepts the Microsoft Windows PCA 2011 certificate to be used to sign early boot components that will be validated during boot. Any other signature present on boot code will cause BitLocker to use TPM profile 0, 2, 4, 11 instead of 7, 11. In some cases, the binaries are signed with UEFI CA 2011 certificate, which will prevent you from binding BitLocker to PCR7.

Msi default certificates is different.


more here:
-https://www.reddit.com/r/MSI_Gaming/comments/1g5qy2h/tpm_pcr7_binding_fails_due_to_abios_bug_that/
 
I have the same issue here, because of this my motherboard doesn't fill the requirements for automatic bitlocker on 24h2, and I have the event logger throwing all this information.

This should be fixed.
 
I'm also having the issue with activating BitLocker and went through the same error in the event viewer.

Since I'm not sure if MSI will support through these forums, I have send a support request online.

Hoping for a quick solution, since not running BitLocker means a security risk and I have purchased Windows 11 Home for the purpose of being able to run it since 24H2 release.
 
I raised a support ticket as well as a forum post for the same issue roughly a year ago,


The short of it is, this most likely will not be addressed, and you will have to use the other registers instead with Bitlocker. My suspicion, from what I saw on my board and documented in that post above, was that MSI includes their own additional signing keys on top of the standard Microsoft ones, and thus Windows won't allow PCR 7 to be bound to. Bitlocker will still work with registers 0, 2, 4, and 11, but you will have to suspend it when doing things like firmware updates, otherwise you will need to enter the recovery key when you next boot up.
 
I raised a support ticket as well as a forum post for the same issue roughly a year ago,


The short of it is, this most likely will not be addressed, and you will have to use the other registers instead with Bitlocker. My suspicion, from what I saw on my board and documented in that post above, was that MSI includes their own additional signing keys on top of the standard Microsoft ones, and thus Windows won't allow PCR 7 to be bound to. Bitlocker will still work with registers 0, 2, 4, and 11, but you will have to suspend it when doing things like firmware updates, otherwise you will need to enter the recovery key when you next boot up.
Thanks for your input.

For now I'm fine to run BitLocker without PCR 7 and resulting limitations. However currently I am unable to access the BitLocker setting at all. It is not listed in the legacy Controls Panel and in the settings of my C: drive I get the error message:

Code:
Error upon opening the BitLocker System Control Tool. Error Code: 0x80004005.

Any advice on this would be appreciated.
 
Hmm, could be due to it being Windows Home. I'm on professional, though it's still on 23H2. On professional, you have more options for interacting with Bitlocker, including the manage bde powershell commands. I'm guessing here, but maybe if Windows Home cannot automatically encrypt, based on what you see in msinfo, it may just not allow it at all, vs in Pro, where I can go into the group policy editor for Bitlocker and check the options to say encrypt using these alternate registers, for example.
 
Hmm, could be due to it being Windows Home. I'm on professional, though it's still on 23H2. On professional, you have more options for interacting with Bitlocker, including the manage bde powershell commands. I'm guessing here, but maybe if Windows Home cannot automatically encrypt, based on what you see in msinfo, it may just not allow it at all, vs in Pro, where I can go into the group policy editor for Bitlocker and check the options to say encrypt using these alternate registers, for example.
Thanks for your input. Read the same in another forum in the mean time.

Nevertheless the original PCR7 binding issue remains present.
 
Back
Top