Bitlocker TPM + PIN on MS Surface Pro 3 using MDT RRS feed

  • Question

  • We are new to MDT 2012 and are trying to create a task sequence for Surface Pro 3 Tablets. Everything is going OK apart from Bitlocker. We are required to enable TPM + PIN (yes I've read the articles saying PIN isn't necessary on tablets, but security have decided they still want it). To get TPM + PIN working there are a couple of GP settings required - enabling TPM + PIN and enabling pre-boot keyboards on slates.

    To apply these settings we would normally have to join the domain and put the tablet in the correct OU for that Policy, which requires a restart. However once Policy is applying the restart now forces the corporate data warning message and so doesn't continue with the sequence. the only solution I can see is to insert the registry settings for these policy settings into the Task Sequence and not do the restart until the end of the sequence. However this seems very messy and could potentially cause maintenance issues further down the line if anything needs changing.

    Does anyone have any solutions to this?

    Tuesday, April 14, 2015 9:44 AM


  • What we had to do was create a deployment OU that blocked pretty much all the domain GP.  Then at the end of the TS we would move machine to its proper OU.

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    • Marked as answer by Eric G-S Monday, April 20, 2015 7:38 AM
    Tuesday, April 14, 2015 6:49 PM