Here is a screenshot from a system that is compatible<\/p>\n\n\n\n If Device Encryption<\/strong> does not appear on that page, it likely means that your hardware is not compatible in its current state. You can check this easily by using the System Information app that Microsoft kindly include. <\/p>\n\n\n\n Go to Search<\/strong> type System Information<\/strong> and click on Run as Administrator<\/strong><\/p>\n\n\n\n In the window that opens at the very bottom of the screen you will see an entry for Device Encryption Support, change the column widths so you can read the entire message.<\/p>\n\n\n\n If you could read the image above you would see that the entry on my PC said:<\/p>\n\n\n\n Device Encryption Support: Reasons for failed automatic device encryption: PCR7 binding is not supported, Hardware Security Test Interface failed and the device is not Modern Standby, Un-allowed DMA-capable bus\/device(s) detected<\/strong><\/p>\n\n\n\n This is a list of at least three different errors<\/p>\n\n\n\n Lets look at each of these in turn<\/p>\n\n\n\n This refers to secure boot, it’s that simple. <\/p>\n\n\n\n You can check if you have secure boot available in your BIOS you also need to check that secure boot is using UEFI. I cannot tell you how to do this as every BIOS is different, but you can check for secure boot through PowerShell. <\/p>\n\n\n\n To check in PowerShell open the search menu, type PowerShell and open the PowerShell application as administrator.<\/p>\n\n\n\n In the shell windows that opens type In this example I had already enabled it and you can see that the command returned True<\/strong>, so Secure boot is enabled. Its likely, if you are reading this and you have the PCR7 Binding error that yours will return False<\/strong><\/p>\n\n\n\n I can’t tell you how to do that as each BIOS will be different depending on manufacturer. I had to enable UEFI and disable CSR. Once I had managed to enable this windows reported that secure boot was enabled it enabled in Settings<\/strong> > Windows Security<\/strong> > Device Security<\/strong> <\/p>\n\n\n\n Once I’d done this the PCR7 Binding error disappeared from System Info<\/p>\n\n\n\n I am going to tell you what this means and how to workaround it. I do so with a warning that there are issues doing so and you reduce the security of your system potentially opening it to DMA attacks. A lot of DMA attacks have been mitigated ion later versions of windows but if you make these changes then you do so at your own risk.<\/p>\n\n\n\n You can read about DMA attacks on Wikipedia <\/a><\/p>\n\n\n\n Windows lists Allowed, UnAllowed and Verified DMA devcies in the registry with their PCI ID, you can see them at:<\/p>\n\n\n\n HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\DmaSecurity<\/strong><\/p>\n\n\n\n Mine were all under the default key<\/p>\n\n\n\n HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\DmaSecurity\\Default<\/strong><\/p>\n\n\n\n You can view them by using Regedit or PowerShell<\/p>\n\n\n\n Open the search menu, type Regedit and click on the Regedit application<\/p>\n\n\n\n Navigate to the appropriate Hive and Key and inspect the listings<\/p>\n\n\n\n To view the keys and values in PowerShell open the search menu, type PowerShell<\/strong> and open the PowerShell application<\/p>\n\n\n\n In the shell window that opens type the following commands, make sure you include the space and full stop after Get-Item <\/p>\n\n\n\n This will show you all the entries in the UnallowedBuses registry key with their name and value<\/p>\n\n\n\n To remove the DMA error you need to remove these entries or move them to AllowedBuses. To do that you need to take ownership of the UnallowedBuses and AllowedBuses Key and then give yourself full access to both keys. There is an MS article that references this process for Bitlocker, it is the same process for Device Encryption. You can read that article on the MS Docs site – Un-allowed DMA capable bus\/device(s) detected<\/a><\/p>\n\n\n\n Remember the earlier warning, this may be opening the potential for DMA attacks. I suggest you check with the manufacturer of the device if they can provide any information on the component’s use of DMA and the safety of doing this.<\/p>\n\n\n\n Some articles suggested working through them one at a time to find the ones that were causing the issue, but I had to remove them all from UnallowedBuses.<\/p>\n\n\n\n![\"\"\/](\"https:\/\/www.windowscentral.com\/sites\/wpcentral.com\/files\/styles\/xlarge\/public\/field\/image\/2019\/07\/windows-10-home-device-encryption.jpg\")
![\"\"](\"https:\/\/vroamam.com\/wordpress\/wp-content\/uploads\/2022\/01\/image-19.png\")
![\"\"](\"https:\/\/vroamam.com\/wordpress\/wp-content\/uploads\/2022\/01\/image-20.png\")
PCR7 Binding is not supported<\/h2>\n\n\n\n
![\"\"](\"https:\/\/vroamam.com\/wordpress\/wp-content\/uploads\/2022\/01\/image-27.png\")
Confirm-SecureBootUEFI<\/code><\/p>\n\n\n\n![\"\"](\"https:\/\/vroamam.com\/wordpress\/wp-content\/uploads\/2022\/01\/image-28.png\")
![\"\"](\"https:\/\/vroamam.com\/wordpress\/wp-content\/uploads\/2022\/01\/image-21.png\")
Un-Allowed DMA Capable Devices<\/h2>\n\n\n\n
Regedit<\/span><\/h3>\n\n\n\n
![\"\"](\"https:\/\/vroamam.com\/wordpress\/wp-content\/uploads\/2022\/01\/image-22.png\")
![\"\"](\"https:\/\/vroamam.com\/wordpress\/wp-content\/uploads\/2022\/01\/image-23.png\")
PowerShell<\/span><\/h3>\n\n\n\n
![\"\"](\"https:\/\/vroamam.com\/wordpress\/wp-content\/uploads\/2022\/01\/image-24.png\")
Set-Location HKLM:\\system\\currentcontrolset\\control\\dmasecurity\\default\\UnallowedBuses\nGet-Item . #make sure you add the space and a full stop <\/pre>\n\n\n\n
Fixing the Error<\/span><\/h3>\n\n\n\n
Modern Standby<\/h2>\n\n\n\n
![\"\"](\"https:\/\/vroamam.com\/wordpress\/wp-content\/uploads\/2022\/01\/image-25.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/vroamam.com\/wordpress\/wp-content\/uploads\/2022\/01\/image-26.png\")
<\/figure>\n\n\n\n