Hey,
a couple days ago I have updated to firmware 3.05 on my fw 13 amd. I have updated the BIOS using fwupdmgr on Fedora 39 and there was no issue during the process. However, on Windows 11 I noticed that the Device Encryption option has vanished. I have so far checked the following things:
System Information Device Encryption Support: Reasons for failed automatic device encryption: PCR7 binding is not supported, Un-allowed DMA-capable bus/device(s) detected, WinRE is not configured
PCR7 Configuration: Binding Not Possible
Secure Boot State: On
BIOS Mode: UEFI
powercfg /a
As far as I understand, PCR7 requires S0 to be supported, which is the case, confirmed by powercfg /a.
tpm.msc
Reports the TPM is available.
BIOS settings
Secure Boot is enforced
TPM 2.0 (MSFT) is enabled and set to available
I have read that e.g. Lenove firmware updates disable Secure Boot during updating and sometimes do not re-enable it, but both the BIOS and Windows report Secure Boot to be enabled.
Does anyone know how to resolve this? Thanks in advance!
Note: I have already posted this under the thread of the 3.05 release, but thought it might deserve its own topic.
To me the state of the TPM and / or Secure Boot just changed. Windows is probably not offering anything because it can’t determine if those devices are trusted.
I really don’t have any idea on how to restore it to Windows. Seems like Fedora might be the one leveraging the TPM now?
its been a few days since I have fix it. Your comment is what tipped me off. I noticed that I was entering the Windows Boot Manager through its GRUB entry. Selecting it directly through the F2-Menu during boot, fixed the PCR7-issue. The only issue that was left is the missing WinRE. Instead of properly installing it, I disabled it completely using reagentc /disable. After that I added the TPM as a protector to the C drive using manage-bde -protectors -add -tpm c:. Then I locked the drive with manage-bde -lock c: and resumed BitLocker using Resume-BitLocker.
This way you also restore the option in windows settings.
Also, don’t forget to save your backup key as it might not be automatically synced with your microsoft account: manage-bde -protectors c:
Like I said, its been a few days since I did this, so if there is a mistake in the instructions above, let me know.
Yea, it makes sense then. it’s part of the measured boot, in that all the processes and configuration during start up is “checksummed”, then if it changes, it known and can fail start up.
With Bitlocker and the TPM, this checksum forms part of the decrypt, when it’s wrong, the TPM won’t decrypt Bitlockers key, and Windows fails to start.
You can make it not use PCR7 in the Bitlocker policy, it’s somewhere in gpedit.msc.