Windows not updating - Compatible TPM cannot be found

Robbert 20 Reputation points

I am trying to update my windows, as I noticed its been hanging on an old verison for a long time now (its still on version 22h2).

On forums I read that for certain updates TPM, secureboot and Bitlocker are required so I decided to try to get all of these enabled.

On the product page for my motherboard I found fTPM is supported for my CPU;
Motherboard - ASRock A520M Phantom Gaming 4
CPU - AMD Ryzen 7 3700X

I have been able to enable fTPM and secureboot through the UEFI settings, but it is not showing up in "tpm.msc", it reads "Compatible TPM cannot be found".

As a result, Bitlocker wont enable as it cannot register a TPM

My system information is showing the PCR7 Configuration as "Binding not possible", giving the following message: "Reasons for failed automatic device encryption: TPM is not usable, PCR7 binding is not supported, Hardware Security Test Interface failed and device is not Modern Standby, Un-allowed DMA capable bus/device(s) detected, TPM is not usable

The drive holding my windows installation has partition style "GUID partition table (GPT)" as I saw this can also be relevant

I've read through so many forums but to no avail.. please help

  1. Neil D 33,505 Reputation points Volunteer Moderator

    BitLocker is not a requirement but encryption may be enabled if the bios settings are correct.


Sign in to comment

Answer accepted by question author

DaveM121 896.5K Reputation points Independent Advisor

Boot your PC into BIOS.

On the Security settings tab, there should be an option to reset TPM keys to factory keys, apply that.

Then boot back into Windows and check if TPM is recognised.

If not, go to the support page for your motherboard on the manufacturers website to check for any BIOS update that may be available and not yet installed.

  1. Robbert 20 Reputation points

    I hadn't thought of updating the BIOS yet, but this seems to have solved the TPM not being recognized! Thank you so much for your quick response and help :)


Sign in to comment

1 additional answer

  1. AI answer

    The update issue is not caused by PCR7 binding or BitLocker. Windows can update normally even when:

    • PCR7 Configuration shows Binding not possible in msinfo32.
    • Device encryption/BitLocker are not available.
    • TPM is not usable or not present.

    Windows is secure and fully functional whether BitLocker uses PCR 7,11 or falls back to PCR 0,2,4,11, and PCR7 binding is not a requirement for Windows Update.

    From the provided information:

    • PCR7 “Binding not possible” can occur when early boot components are signed with a certificate other than Microsoft Windows PCA 2011 (for example, UEFI CA 2011). In that case, BitLocker cannot bind to PCR7 and instead uses PCR 0,2,4,11. This is expected behavior and does not block updates.
    • Device Encryption Support showing reasons like “TPM is not usable” or “PCR7 binding is not supported” only explains why automatic device encryption is unavailable, not why Windows Update is stuck.

    Given that TPM is not detected in tpm.msc and BitLocker cannot enable, the system simply does not meet the hardware/security prerequisites for automatic device encryption and for BitLocker-with-TPM. That is independent of the ability to install feature updates.

    To summarize the security/BitLocker side based on the context:

    1. PCR7 Binding
      • BitLocker prefers PCR 7,11 when Secure Boot and TPM 2.0 are correctly configured and the boot chain is signed with Microsoft Windows PCA 2011.
      • If any boot binary is signed only with UEFI CA 2011, BitLocker will use PCR 0,2,4,11 instead of PCR 7,11.
      • Windows remains secure in both configurations and this does not prevent OS upgrades.
    2. Device Encryption Support messages
      • “TPM is not usable” indicates TPM is missing or not enabled/usable in firmware.
      • “PCR7 binding is not supported” typically indicates Secure Boot is disabled or certain peripherals are present at boot, but again this only affects automatic device encryption availability.

    If the goal is specifically to enable BitLocker with PCR 7,11 on supported hardware, the documented checks are:

    • Ensure Secure Boot is enabled in UEFI.
    • Ensure TPM 2.0 is enabled and visible to Windows (so that tpm.msc shows “The TPM is ready for use”).
    • Verify BitLocker’s PCR profile with:
       manage-bde -protectors -get C:
      
      and confirm it shows PCR Validation Profile: 7, 11 when everything is correctly bound to Secure Boot.

    If BitLocker cannot use PCR 7, the BitLocker-API Management event log under Application and Services Logs > Microsoft > Windows > BitLocker-API > Management will contain events explaining why (for example, Secure Boot disabled, missing UEFI variables, or invalid TCG log entries).

    However, none of these conditions are documented as blocking Windows feature updates. The update problem must have a different cause that is not covered in the provided context.


    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.
Sign in to answer

Your answer