Deploy Tablets like Surface or Lenovo Helix with Windows 8.1 and BitLocker

A new setting of Windows 8 and Windows 8.1 does not allow to enable BitLocker on Tablets which have no keyboard available during Boot. It’s also not possible to enable BitLocker when they are attached to a dock or keyboard.

If you try to enable BitLocker in the Operating System manually or over PowerShell with this command:

Add-BitLockerKeyProtector c: -TpmAndPinProtector

You will get this error message, also when the tablet is connected to a keyboard:

No pre-boot keyboard detected. The user may not be able to provide required input to unlock the volume - 0x803100B5.

This means you are per default not able to enable BitLocker on these devices. One option is to install a Windows Recovery Environment Partition, the other option is a new Group Policy setting, which can be used to override this functionality.

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drive\Enable use of BitLocker authentication requiring preboot keyboard input on slates

This works if the operating system is already running, but what happens if we try to enable BitLocker in the OS Task Sequence with ConfigMgr. Then the Task Sequence will fail with this error:

To solve this problem we need to set this Group Policy setting during Task Sequence. The appropriate registry key is located under HKLM:\SOFTWARE\Policies\Microsoft\FVE with the name of OSEnablePrebootInputProtectorsOnSlates and should have a value of 1. The following commands will set the registry key to the correct value and should be called before the Enable BitLocker Task Sequence Step in ConfigMgr:

The task sequence execution engine failed executing the action (Enable BitLocker) in the group (Completion) with the error code 2150695094
Action output: ...
framework\tscore\encryptablevolume.cpp,1211)
m_pEncryptableVolume->ProtectKeyWithNumericalPassword( sRecoveryPwdId ), HRESULT=803100b6
(e:\nts_sccm_release\sms\client\osdeployment\bitlocker\bitlocker.cpp,607)
CreateRecoveryPassword(), HRESULT=803100b6
(e:\nts_sccm_release\sms\client\osdeployment\bitlocker\bitlocker.cpp,1290)
ConfigureKeyProtection( keyMode, pwdMode, pszStartupKeyVolume ), HRESULT=803100b6
(e:\nts_sccm_release\sms\client\osdeployment\bitlocker\bitlocker.cpp,1524)
pBitLocker->Enable( argInfo.keyMode, argInfo.passwordMode, argInfo.sStartupKeyVolume, argInfo.bWait ), HRESULT=803100b6
(e:\nts_sccm_release\sms\client\osdeployment\bitlocker\main.cpp,382)
'ProtectKeyWithNumericalPassword' failed (2150695094)

Failed to create recovery password. Ensure that Active Directory is properly configured for use with BitLocker,
no pre-boot keyboard or Windows Recovery Environment detected.
The user may not be able to provide required input to unlock the volume. (Error: 803100B6; Source: Windows)

powershell.exe -command "New-Item -Path HKLM:\SOFTWARE\Policies\Microsoft -Name FVE; Set-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\FVE -Name OSEnablePrebootInputProtectorsOnSlates -Value 1 -Type DWord -Force"

An now you are able to deploy secure Tablets with BitLocker enabled. Smiley

Follow me

0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.