Enable BitLocker / secure boot
PIXLDealer
Posted messages
34
Status
Membre
-
PIXLDealer Posted messages 34 Status Membre -
PIXLDealer Posted messages 34 Status Membre -
Hello,
After realizing that my data was vulnerable (just unplugging and reconnecting a hard drive to another PC gives access to the files), I thought it would be important to find a solution.
The simplest being to use BitLocker, I set out to install it.
So first step, check with MSINFO if my PC is compatible, and there, surprise, encryption failure due to the PCR7 binding.
An error that I imagine could have a solution; I think about enabling Secure Boot.
Off to the BIOS (MSI X570 Pro Carbon Wifi), I enable UEFI mode and then Secure Boot.
Another nice surprise, my PC doesn’t boot anymore after that.
After canceling my changes, it restarts (phew).
Stubborn, I decide to keep looking for how to enable Secure Boot; I reset the BIOS settings, I check if there are any issues with the disk partitions (apparently they need to be in GUID (GPT), and all my drives are).
While using Windows 11 I get the following error when I want to encrypt my drives:
Failed to open the BitLocker control panel tool
Error code: 0x80004005
And the solution for the error code is to check that the PC indeed supports BitLocker with MSINFO, which brings us back to the PCR7 binding issue.
Does anyone have a miracle solution?
A bit more information about my PC:
Operating system name: Microsoft Windows 11 Home
Version 10.0.22000 Build 22000
Ryzen 5 3600X
RTX 3070
16 GB DDR4 RAM
Boot drive: Crucial P1 M.2 SSD
Drive 1: Samsung EVO Plus 1TB
Drive 2: Western Digital 1 TB HDD
Drive 3: Western Digital 1 TB HDD
Thank you in advance! :)
After realizing that my data was vulnerable (just unplugging and reconnecting a hard drive to another PC gives access to the files), I thought it would be important to find a solution.
The simplest being to use BitLocker, I set out to install it.
So first step, check with MSINFO if my PC is compatible, and there, surprise, encryption failure due to the PCR7 binding.
An error that I imagine could have a solution; I think about enabling Secure Boot.
Off to the BIOS (MSI X570 Pro Carbon Wifi), I enable UEFI mode and then Secure Boot.
Another nice surprise, my PC doesn’t boot anymore after that.
After canceling my changes, it restarts (phew).
Stubborn, I decide to keep looking for how to enable Secure Boot; I reset the BIOS settings, I check if there are any issues with the disk partitions (apparently they need to be in GUID (GPT), and all my drives are).
While using Windows 11 I get the following error when I want to encrypt my drives:
Failed to open the BitLocker control panel tool
Error code: 0x80004005
And the solution for the error code is to check that the PC indeed supports BitLocker with MSINFO, which brings us back to the PCR7 binding issue.
Does anyone have a miracle solution?
A bit more information about my PC:
Operating system name: Microsoft Windows 11 Home
Version 10.0.22000 Build 22000
Ryzen 5 3600X
RTX 3070
16 GB DDR4 RAM
Boot drive: Crucial P1 M.2 SSD
Drive 1: Samsung EVO Plus 1TB
Drive 2: Western Digital 1 TB HDD
Drive 3: Western Digital 1 TB HDD
Thank you in advance! :)
3 réponses
Hello,
Only Windows Professional offers the Bitlocker option on a system disk; you need to purchase a Pro license key and upgrade Windows to access this Bitlocker feature.
Secure Boot and TPM are indeed required for optimal protection.
EDIT: Are you sure that's Secure Boot you intended to enable? There is a similar option on MSI boards, but it's not Secure Boot, which can be enabled without any issues in a UEFI system using GPT.
Only Windows Professional offers the Bitlocker option on a system disk; you need to purchase a Pro license key and upgrade Windows to access this Bitlocker feature.
Secure Boot and TPM are indeed required for optimal protection.
EDIT: Are you sure that's Secure Boot you intended to enable? There is a similar option on MSI boards, but it's not Secure Boot, which can be enabled without any issues in a UEFI system using GPT.
Hello,
Bitlocker is only available from Windows Pro. Since you have Windows 10 Home, you can't use Bitlocker.
Instead, you can use Veracrypt https://www.malekal.com/quels-logiciels-pour-chiffrer-ses-donnees-sur-windows/
You can either encrypt your entire disk like Bitlocker does https://lecrabeinfo.net/veracrypt-chiffrer-un-disque-systeme-windows.html, or create a container where you can store your documents https://www.malekal.com/veracrypt-creer-un-conteneur-chiffre-pour-proteger-ses-donnees-sur-windows-ou-ubuntu/
Best regards.
Bitlocker is only available from Windows Pro. Since you have Windows 10 Home, you can't use Bitlocker.
Instead, you can use Veracrypt https://www.malekal.com/quels-logiciels-pour-chiffrer-ses-donnees-sur-windows/
You can either encrypt your entire disk like Bitlocker does https://lecrabeinfo.net/veracrypt-chiffrer-un-disque-systeme-windows.html, or create a container where you can store your documents https://www.malekal.com/veracrypt-creer-un-conteneur-chiffre-pour-proteger-ses-donnees-sur-windows-ou-ubuntu/
Best regards.
Thank you for your response. If I switch to Windows Pro, will it allow me to enable BitLocker even if I have the error:
Device encryption support%s: Reasons for automatic device encryption failure: PCR7 binding not supported, hardware security test interface failed, and the device is not in modern standby., Detection of unauthorized DMA bus/device
?
Device encryption support%s: Reasons for automatic device encryption failure: PCR7 binding not supported, hardware security test interface failed, and the device is not in modern standby., Detection of unauthorized DMA bus/device
?
Indeed, BitLocker has prerequisites:
Which will prevent you from using it if your PC does not have them.
Hence the solution with VeraCrypt.
You can also wait for another suggestion.
Best regards.
- A TPM* version 1.2 or 2.0
- Support for PCR 7 and Modern Standby
- Memory access protection (Direct Memory Access, DMA) enabled in Windows 10
- UEFI (Unified Extensible Firmware Interface) firmware
- UEFI Secure Boot enabled
- UEFI Boot enabled
- Microsoft account
Which will prevent you from using it if your PC does not have them.
Hence the solution with VeraCrypt.
You can also wait for another suggestion.
Best regards.
To summarize, the problem seems to stem from a corrupted boot file, all other possibilities having been exhausted. I am currently repairing my 2 HDDs and 2 SSDs.
I will boot with only my SSD where the Windows files are located to see if there are any changes and then add the other drives one by one.
If nothing changes, I will perform a clean installation of Windows hoping that this resolves the issue; otherwise, I will contact MSI support, as the problem may be related to a BIOS setting.
In any case, the goal for now is to have a system where I can enable secure boot before switching to Windows Pro and having BitLocker.
If nothing works, I will switch to VeraCrypt.
Thank you for your responses; I will update the thread if I manage to enable secure boot without crashing Windows.
I will boot with only my SSD where the Windows files are located to see if there are any changes and then add the other drives one by one.
If nothing changes, I will perform a clean installation of Windows hoping that this resolves the issue; otherwise, I will contact MSI support, as the problem may be related to a BIOS setting.
In any case, the goal for now is to have a system where I can enable secure boot before switching to Windows Pro and having BitLocker.
If nothing works, I will switch to VeraCrypt.
Thank you for your responses; I will update the thread if I manage to enable secure boot without crashing Windows.
Upgrading to a pro license is not an issue, but I wonder if it will be useful due to the PCR7 linkage error on the "Device encryption support" line.