Windows 11 Device Encryption not working after dual boot

Question

First I installed Windows, I turned on Secure Boot and checked in System Information that the PCR7 Configuration was OK and that Device Encryption Support was ready to be enabled. Then I installed Ubuntu as dual boot (following https://www.mikekasberg.com/blog/2024/05/20/dual-boot-ubuntu-24-04-and-windows-with-encryption.html).

However, now I am back in Windows it says "Binding Not Possible" and "PCR7 binding is not supported, Un-Allowed DMA capable bus/debive(s) detected, WinRE is not configured. (I got the same before installing Ubuntu but I resolved it by enabling Secure boot. But I checked and Secure Boot State is still On so this time that is not responsible.

How can I resolve this so that I can encrypt also my Windows partition?

Answer 1

The error message

"PCR7 binding is not supported, Un-Allowed DMA capable bus/debive(s) detected, WinRE is not configured."

Is not very useful as it doesn't really point at the real culprit which is the fact that I booted into Windows from grub rather than straight from UEFI -> Windows Boot Manager. Apparently Device Encryption does not allow this see this answer to a related question. With the more advanced Bitlocker available in Pro and Enterprise there are more advanced configurations possible but with Windows 11 Home it seems we are forced to boot from UEFI. So in practice this will mean a mild annoyance as in order to boot to Windows we need to boot through the One-Time-Boot Menu (e.g. often opened by typing F12 at the right moment at the start of booting). Indeed once I did this PCR7 Binding was supported as well as Device Encryption.