9 Brand new Lenovo t580's. Right out of the box BitLocker fails to get involved and will have none of this "enabled and working" nonsense.

I mean, that would be too easy right? 

No. Instead when I go through the wizard and restart to "apply changes" (but none are applied) I get this nifty little error pop-up that tells me "Bitlocker could not be enabled. The data drive (C) is not set to automatically unlock (great, I don't want it to do that) on the computer and cannot be unlocked automatically (like..it requires a PIN or something).

So so frustrating, Windows 10 Enterprise. 1709.

Nothing I've hunted down on the interweb has provided a solution so here I am.

Has anybody run this one down yet?  I've read about a fix that involves advanced peripheral settings - usb devices set to "none" rather than "all" but for the love of all things holy, I have not been able to gain entrance or even find the door to "advanced peripheral settings" on this machine. Anybody who can guide me to this holy grail of advanced peripheral settings would be revered for life.

Thanks,

T

I was confused by your post.  You said "right out of the box", but then said "Windows 10 Enterprise 1709".  But there is no Lenovo factory preload that uses Windows 10 Enterprise.  So, somebody took these T580s "out of the box", wiped out the factory preload, and then installed some other image on them.  Do you know who did that?  Are you able to ask them about why BitLocker doesn't work in their image?  We have many customers successfully using BitLocker on every ThinkPad model, including T580, and I haven't heard a report like this before.

As for the error message you mentioned, it seems that C: is not the boot drive.  Can you post a screenshot of diskmgmt.msc so that I can see your drive and partition layout?

So change the product key - activation and viola, it's Win 10 Enterprise. I have not run any updates. Just the quick intital set up for Win 10 (region, who is going to use computer, really memorable password etc..) that's it. After giving the machine a name and moving to the right container in AD I try to set up Bitlocker. No image has been removed, nothing overwitten. Just the basic initial set-up of Win 10 and moving right over to Bitlocker - like step 8 so early on in the process of setting up the machine. I've had an issue with 4 of the machines that I've unpacked. All T580's and all giving me grief in the exact same way. TPM 2,0 is good, ititialized and ready. Have to enter the AD recovery key now to break into it and suspend BL. So to be clear, the factory preload is NOT wiped. It's set up, Manage Bitlocker, enter password, reboot and when the start-up screen asks me to enter the BL password (the one I created not 3 minutes earlier) it is not recognized. I will get you that screen capture and thanks so much for jumping in here on this with me. Appreciated.

T

It's the same as my T580 here where BitLocker is working.  Your boot drive is C:, so I don't understand why BitLocker would be referring to it as a data drive.  What BIOS version is installed on this T580?  Can you try updating to latest?  I'm still wondering about where these systems came from.  We started shipping 1803 preloads in June 2018.

Its an SSD drive if that helps.

BIOS Version/Date LENOVO N27ET32W (1.18 ), 2018-11-08

---

 wrote:

BIOS Version/Date LENOVO N27ET32W (1.18 ), 2018-11-08

---

That's the same that I'm using here.  My only guess is something is wrong/conflicting on AD.  Does BitLocker work if you don't join the PC to your domain?

As part, or indeed the last part of setting up BitLocker is a screen with a check-box that says something like "Run BitLocker system check".

It's the last screen before BL tells you okay we gotta restart for the changes to take affect.

If I leave that box checked: - reboot, bitlocker asks for the password but the password is not recognized = escape key and windows boots.

If I uncheck that box - BitLocker encrypts the drive  but at reboot it wants the recovery digits stored in AD to proceed at every boot so I have to go in there and turn BL off.

Now I'll need to reconfigure the machine to take it off the domain to test your theory.

BTW is there an advanced periperal confguration option anywhere within the BIOS?
The article below speaks to an incorrect BIOS configuration - and a few other articles and support tickets have detailed this

possibility as well. I'd try it but I have been unable to find the mechanism with the OS /  BIOS to do that.

https://social.technet.microsoft.com/Forums/en-US/c88abf51-843e-4567-bb15-1ae8526455d9/bitlocker-failure-to-encrypt-operating-system-drive?forum=win10itprosecurity