Can't enable BitLocker on Toshiba L55 Laptop

  I have a Toshiba L55 Laptop and I just upgraded to Windows 10 Pro (from Windows 7 Pro).
  Before trying to enabling BitLocker, I opened Group Policy (GPEDIT.msc)/Computer Configuration/Administrative Templates/Windows components/BitLocker Data Encryption/Operating System Drives/Require additional authentication at startup and selected "Enabled" and made sure that the checkbox for "Allow Bitlocker withouta compatible TPM (requires a password or a startup key on a USB flash drive)" is checked and rebooted several times.
  However I still get an error message. I have done this on many Windows 7 PCs and one Windows 10 desktop PC. But for some reason this laptop does not work. Bitlocker ErrorGPEDIT1GPEDIT2Can you help?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
According to Win10 spec, BitLocker requires either Trusted Platform Module (TPM) 1.2, TPM 2.0 or a USB flash drive (Windows 10 Pro and Windows 10 Enterprise only). The TPM 2.0 is required one year after Windows 10 RTMs. Also the minimal firmware is UEFI 2.3.1 with Secure Boot enabled. The steps to enable alternative if w/o compatible TPM is as proper as shared.

When you first enable BitLocker and before you encrypt a drive, the setup wizard allows you to test the availability of USB flash drives during startup. If your BIOS does not support the required functionality, you cannot encrypt the drive. Also check the local policy instead of GPO as well in case this domain is not joined to domain. Supposed the gpupdate /force is supposed to synchronise it

Separate note, to ensure smooth transition to using Bit Locker without a TPM in the BIOS (if available for the Toshiba):A) Disable Fast Boot, B) Enable CSM (Legacy support disabled), C) Disable Secure Boot

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sgleeAuthor Commented:
A) Disable Fast Boot, - I could not find this option in BIOS. In Boot Mode, two options available: UEFI and CSM. CSM is default mode.
B) Enable CSM (Legacy support disabled),
C) Disable Secure Boot - I do not  see this option.

As to GPUpdate /force, yes this computer is a part of domain ( and I have this laptop with me out of the domain); therefore it generates an error when I run that command.
If you think that is the cause of the problem, I can simply disjoin it from the domain and later rejoin the domain when I bring it back to the domain environment.
sgleeAuthor Commented:
Here are some screenshots from BIOS screen:
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

btanExec ConsultantCommented:
my guess is the policy is not taking effect since the registry is straightforward. unless we do a local domain by disjoining and see if the local policy can take effect instead of GPO (for domain). If local policy is alright then can try to join back domain again...

The other BIOS setting is more dependent of machine UEFI support - those highlighted may or may not be available in all machine depending on manufacturer, the newer UEFI BIOS will have them supposedly

For info, the secure boot info has another mean to show provided the machine support that

Determining if the PC is in a manufacturing mode

You can use any of the following methods to determine whether Secure Boot has been disabled or if the PC is in a manufacturing / debugging mode.
Use MSInfo32. Click Start, type msinfo32. If BIOS mode: UEFI is UEFI and Secure Boot State is OFF, then Secure Boot is disabled.

Check the event logs. Go to Start > View Event Logs > Applications and Services Logs > Microsoft > Windows > VerifyHardwareSecurity > Admin, and look for either of these logged events:

Secure Boot is currently disabled. Please enable Secureboot through the system firmware. (The PC is in UEFI mode and Secure Boot is disabled.)

A non-production Secure Boot Policy was detected. Remove Debug/PreRelease policy through the system firmware. (The PC is in a manufacturing/debugging mode.)
btanExec ConsultantCommented:
At the same time, I presume for already deployed Bitlocker Win7 to upgrade to Win10, you did as below as similar to Win7 to Win 8 recommended by MS
Can I upgrade my Windows 7–based computer to Windows 8-based computer with BitLocker enabled?

Yes. To upgrade from Windows 7 to Windows 8 or Windows 8.1 without decrypting the operating system drive, open the BitLocker Drive Encryption Control Panel item in Windows 7, click Manage BitLocker, and then and click Suspend. Suspending protection does not decrypt the drive; it disables the authentication mechanisms used by BitLocker and uses a clear key on the drive to enable access. Proceed with the upgrade process by using your Windows 8 DVD or Windows 8.1 upgrade. After the upgrade has completed, open Windows Explorer, right-click the drive, and then click Resume Protection. This reapplies the BitLocker authentication methods and deletes the clear key. Also,
for BitLocker to use the system integrity check provided by a TPM, the computer must have a TPM version 1.2. If your computer does not have a TPM, enabling BitLocker will require you to save a startup key on a removable device such as a USB flash drive.

The system BIOS (for TPM and non-TPM computers) must support the USB mass storage device class, including reading small files on a USB flash drive in the pre-operating system environment.
sgleeAuthor Commented:
After disjoining this laptop from the domain, I logged in as a local administrator and am able to run BitLocker now.
Thanks for your help and I appreciate it!
btanExec ConsultantCommented:
thanks for sharing, glad to have helped.
sgleeAuthor Commented:
What I learned is that when the computer is joined the domain already and you want to enable the Bit Locker, then you need to disjoin the computer from the domain, enable Bit Locker and encrypt the hard drive and join the computer back to the domain.
btanExec ConsultantCommented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 10

From novice to tech pro — start learning today.