11-28-2016 12:20 PM
(This has happened on a couple of these new machines) Windows 10 Enterprise.
Secure boot disabled, EUFI (both) Legacy first
Harddrive set to first boot device
PXE boot imaged (SCCM)
I enabled bitlocker and setup the computer, AD environment, connected it to a dynadock finished machine config. Deployed it to user and a noticed shortly afterwards that upon startup it is asking for recovery key. I suspend/reboot and enabled bitlocker. Reboot asks again for the key. I messed with BIOS settings galore. Finally decrypted cleared keys, took ownership and prepared the TPM. It said it was ready to work but in reduced funtionality?
Attempted to encrypt, did the Bitlocker system check, reboot and got the Bitlocker could not be enabled, the encryption key could not be obtained from the trusted platform module.
Any advice would be much appreciated.
Solved! Go to Solution.
11-29-2016 06:15 AM
If you are using TPM 2.0, the system must be configured to boot in UEFI mode.
How to check the TPM version: run tpm.msc and check "Specification Version" under "TPM Manufacturer Information".
How to check UEFI/legacy boot mode: run msinfo32 and check what is listed for "BIOS mode" in the right-hand panel.
Based on your description is sounds like you are using TPM 2.0 on legacy boot mode, which will not work.
You really should be deploying Win10 in UEFI mode with Secure Boot.