07-25-2017 07:08 AM
It failed again. Without Symantec or Checkpoint, after a Shutdown and start, it is asking for the Recovery key again.
I have no idea how to reproduce this here. We also have other customers deploying X270 and not reporting this probIem. I still suspect it is something unique in your deployment, but I really have no idea. Can you reproduce the issue with a clean-installation of Win7 + drivers, and then manually enable BitLocker from Control Panel (not with MBAM)? Basically I need step-by-step instructions to see the problem here, in order to help further.
07-25-2017 08:06 AM
We use WinPE 10 for this. So do we need to use the following registry key ?
That registry entry is about a new encryption method in Win10, but it's not supported on Win7. If you were using that encryption method I think BitLocker would not work at all on Win7. So I think your problem is not about this.
07-25-2017 08:07 AM
We're still having the issue on T470s with the recovery key prompt on every start-up. I've had some limited success excluding our customer image by doing the following:
Security Chip = 1.2, Active
Secure Boot = Disabled
UEFI/Legacy Boot = Both, CSM = Yes
In honesty, the problem only present very rarely -although if you simply open the BIOS (F1), do not change ANYTHING, then exit without saving, that also seems to trigger a bitlocker recovery request. I'm pretty sure this should nto happen.
Customer has reported the issue on BIOS v1.07, 1.11 & 1.13 (Personally seen on 1.07).
07-25-2017 08:08 AM
I really think best way to troubleshoot further is to clean-install Win7+drivers manually and then enable BitLocker after that. If this works, then go back to your TS and figure out which step(s) is causing the problem. Disable as many steps from TS as possible until BitLocker starts working without that initial recovery prompt. Then add back the steps to TS 1 at a time. I know this is time-consuming but I really don't have any ideas. I do know that our sample SCCM TS, and then enabling BitLocker post-deployment, is working OK here.
07-25-2017 09:11 AM
Can you try to view the BIOS (F1), but don't make any changes and just exit on you working test machine with bitlocker enabled and encrypted please?
This is working as designed. You changed the way the system booted by going into BIOS setup, so then if you simply exit BIOS setup you will get a recovery prompt. You can get past this by rebooting the system without going into BIOS setup. For example, at the recovery prompt, press ctrl-alt-del and this time, don't go into BIOS setup.
Same thing happens if you press F12 to launch the boot menu, even if you choose to boot to the HDD. The process of booting to the F12 menu changed the way the system booted.
07-25-2017 09:15 AM
07-25-2017 09:33 AM
Ok, so we only see this the T470, not T460, X250 etc.... is this expected? Is this 'working by design' for the T470? If so then this is a process item we might be able to avoid.....
Just now I checked X250, the behavior is exactly the same:
1. reboot X250
2. press F1 to enter BIOS setup
3. from "restart" menu, do "exit discarding changes"
4. BitLocker recovery screen appears <-- working as designed
5. press ctrl-alt-del
6. this time, DO NOT press F1 to enter BIOS setup
7. the system boots to Win7 normally (no Bitlocker recovery screen)