Why is my Surface Pro 3 not BitLockered after OSD via System Center 2012 R2 Configuration Manager ?

Introduction

The Surface Pro 3 is awesome, and you can deploy it easily using System Center 2012 R2 Configuration Manager, but sometimes things don’t go as planned. If you notice that the hard drive is not BitLockered even though you Enabled BitLocker in the task sequence, then you most likely have the issue described below.

Problem

Bitlocker doesn’t encrypt the drive. This is immediately obvious when you browse the C: drive.

bitlocker problemAnd become’s more obvious when you review the SMSTS.log file with all the errors shown below in red for the Enable BitLocker step.

surface pro 3 enable bitlocker failureYou’ll see errors like below:-

Failed to run the action: Enable BitLocker.
No pre-boot keyboard or Windows Recovery Environment detected. The user may not be able to provide required input to unlock the volume. (Error: 803100B6; Source: Windows)

Failed to run the action: Enable BitLocker.
No pre-boot keyboard or Windows Recovery Environment detected. The user may not be able to provide required input to unlock the volume. (Error: 803100B6; Source: Windows)

Solution

The Surface Pro 3 is a tablet/hybrid device which can have a keyboard attached (or not). As a result it’s treated differently than say a standard Laptop or Desktop when it comes to BitLocker (due to the fact that a keyboard may or may not be attached, and it might be needed for TPM/Pin authentication).

To resolve the above, simple add a registry key, you can do it the old fashioned way by adding a Run Command Line step in the task sequence BEFORE the Enable Bitlocker step to set the reg keys.

The registry key is located under HKLM\SOFTWARE\Policies\Microsoft\FVE\OSEnablePrebootInputProtectorsOnSlates and should have a value of 1

Or you can do like the PowerShell dudes do and do it in PowerShell, using the following line

powershell.exe -command "New-Item -Path HKLM:\SOFTWARE\Policies\Microsoft -Name FVE; Set-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\FVE -Name OSEnablePrebootInputProtectorsOnSlates -Value 1 -Type DWord -Force"

like so

OSEnablePrebootInputProtectorsOnSlatesThe result ?

once the above is in place your deployment will Enable BitLocker properly and your C: drive will look the way you’d expect.

bitlockered okRelated Reading

The following links should help you with Deploying Windows 8.1 X64 on the Surface Pro 3

until next time, cheers !

niall.

 

 

This entry was posted in BitLocker, Surface Pro 3. Bookmark the permalink.