cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
McDuff
Level 11
Report Inappropriate Content
Message 1 of 6

PCR7 - Binding not possible after encrypting/decrypting with McAfee Drive Encryption

Greetings

Wondering  if any of you have noticed that encrypting a device with McAfee Drive Encryption (v 7.2.8, 7.2.9) seems to permanently set PCR7 Configuration (found in MSInfo32) for TPM to "Binding NOT possible".

Has anyone found a way to restore PCR7 binding after a device is decrypted with McAfee Drive Encryption?

In our testing, we've noticed:

1.  Fresh PC ==> PCR7 Configuration set to Binding possible

2.  Install McAfee Endpoint Encryption ==>  PCR7 Configuration still set to Binding possible

3.  As soon as the device is encrypted ==> PCR7 Configuration still set to Binding NOT possible

4.  Even if we decrypt the device and uninstall McAfee Endpoint Encryption PCs, Binding is still not possible.

5.  Even if we clear the TPM chip, Binding is still not possible

 

5 Replies
cross
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 6

Re: PCR7 - Binding not possible after encrypting/decrypting with McAfee Endpoint Encryption

I'm sorry to reply to your question with questions but a definitive answer isn't coming to mind so I've got some questions to try to help figure this out.

Firstly, I must admit, I'm a bit curious as the encryption product version you are using. The naming convention suggests that the version in use may be an older one. What version of the product are you using?

Do you know what the system's BIOS mode is from the msinfo32?

Can you tell us the format type on the disks? This should either be MBR or GPT.

Another question that comes to mind is whether secure boot is or is not enabled on these systems. Do you know what the status is there?

McDuff
Level 11
Report Inappropriate Content
Message 3 of 6

Re: PCR7 - Binding not possible after encrypting/decrypting with McAfee Drive Encryption.

Sorry about that, I accidentally typed the old school names I've updated the subject line.  We're using Drive Encryption 7.2.8 and 7.2.9.

We're using UEFI, secure boot is enabled and GPT.

cross
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 6

Re: PCR7 - Binding not possible after encrypting/decrypting with McAfee Drive Encryption.

Thank you for the information. I already had MDE 7.3.0 in my repository. Using a test system I checked that the process with that version as well as running through the usage of MDE 7.2.8 on a test system as well. I had the same results with both versions but not quite the same as your results. It was on the same track until we get to 4. Once MDE was in an inactive state and I rebooted, the PCR7 configuration returned to "binding possible".

With that, I should ask a couple more questions. When you indicated that it was a "fresh PC" is this a base Windows installation or part of a company build that may have other components, products, etc. present?

Is your MDE configuration using TPM?

McDuff
Level 11
Report Inappropriate Content
Message 5 of 6

Re: PCR7 - Binding not possible after encrypting/decrypting with McAfee Drive Encryption.

@cross interesting!,

Our Drive Encryption implementation does not use TPM.

When I say "fresh" I mean we perform a full disk wipe and then re-load our custom image.

cross
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 6

Re: PCR7 - Binding not possible after encrypting/decrypting with McAfee Drive Encryption.

Thank you for the information.  Since the behavior is different between our attempts and I'm not able to replicate the situation, it would probably be best to have a support case opened, get MER data from an example system and try to determine what may be keeping it from reverting when MDE is deactivated.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community