If you are rolling out Windows 10 using SCCM infrastructure you may experience the following problems:

1. Newly build Operating System prompts for BitLocker key without changes to BIOS or hardware.

2. If you PXE boot using Legacy BIOS and then change BIOS settings to UEFI secure boot using vendor’s utility after reboot your system won’t be able to find any booting device.

The root cause of this issue is that starting Kapy Lake build (Intel 7th generation processor) CPU platform no longer support TPM 2.0/MBR boot combination.

The workaround is to change PXE boot to UEFI and set system BIOS to UEFI secure boot. Note that the factory settings are already UEFI secure boot.

This issue was observed on the latest models made by Dell and HP.