none
Surface Book in tablet mode and BitLocker startup PIN RRS feed

  • Question

  • I have purchased a Surface Book, encrypted my HDD with BitLocker and added a startup PIN to BitLocker protectors. Now I am being asked for PIN upon every restart or wakeup from hibernation.

    The problem is, when I detach the screen from the keyboard, it is not possible to enter the PIN when Surface Book starts because there is no physical keyboard and the pen does not work yet at this boot stage. So basically the only way to start the computer is to reattach the keyboard, which is OK when I am at home but quite problematic on the road.

    Is there a way to enter the PIN in the tablet mode? If not, how can I disable the PIN since it's quite useless on the Surface Book?

    Tuesday, January 26, 2016 11:08 AM

Answers

  • Hi Michal Pleban,

    Here is a link for reference of that policy:
    BitLocker Group Policy Settings("Enable use of BitLocker authentication requiring preboot keyboard input on slates")
    https://technet.microsoft.com/en-us/library/jj679890.aspx?f=255&MSPPError=-2147217396

    "The Windows touch keyboard (such as used by tablets) is not available in the preboot environment where BitLocker requires additional information, such as a PIN or password.
    It is recommended that administrators enable this policy only for devices that are verified to have an alternative means of preboot input, such as attaching a USB keyboard.
    When the Windows Recovery Environment is not enabled and this policy is not enabled, you cannot turn on BitLocker on a device that uses the Windows touch keyboard.
    If you do not enable this policy setting, the following options in the Require additional authentication at startup policy might not be available:
    •Configure TPM startup PIN: Required and Allowed
    •Configure TPM startup key and PIN: Required and Allowed
    •Configure use of passwords for operating system drives"

    If the Windows Recovery Environment is not enabled, it will be not available to enable Bitlocker. If it is available to enable Bitlocker, the Windows Recovery Environment should have been enabled. We could run "REAgentC /info" to check the Windows Recovery environment status.

    As the previous link pointed out, onscreen keyboard for the tablet should be supported by the device. Please confirm this with Surface Book OEM support.

    Best regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Friday, January 29, 2016 3:07 AM
    Moderator

All replies

  • On screen keyboard ? 

    http://windows.microsoft.com/en-au/windows-10/use-the-on-screen-keyboard


    Arnav Sharma | http://arnavsharma.net/ Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    • Proposed as answer by arnavsharma Monday, February 1, 2016 9:14 PM
    Tuesday, January 26, 2016 9:53 PM
  • Screenshot : http://blogs.technet.com/b/askpfeplat/archive/2014/07/14/bitlocker-pin-on-surface-pro-3-and-other-tablets.aspx


    Arnav Sharma | http://arnavsharma.net/ Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Tuesday, January 26, 2016 9:54 PM
  • This is not the correct answer. The screenshot concerns Surface 3, which has onscreen keyboard icon in the top right corner. On Surface Book, there is no such icon and it is not possible to use the onscreen keyboard to enter the PIN,
    Wednesday, January 27, 2016 6:38 PM
  • Hi Michal Pleban,

    Have you configured that policy "Enable use of BitLocker authentication requiring preboot keyboard input on slates"?

    "Just remember that this onscreen keyboard is only available on Surface Pro 3 and some third party devices. Not all tablets have this, in case of doubt please check with your OEM"

    Please contact your Surface Book OEM support for help.

    Best regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.






    Thursday, January 28, 2016 2:17 AM
    Moderator
  • Yes I enabled it but it says that "If you enable this policy setting, devices must have an alternative means of pre-boot input". The exact problem is that while the Surface 3 does have such onscreen keyboard upon boot, Surface Book in tablet mode apparently does not and there is no option in the BIOS to enable it.

    Then it gets interesting and it says that "If this policy is not enabled, the Windows Recovery Environment must be enabled on tablets to support the entry of the BitLocker recovery password". Maybe this is something I need? How do I enable this Windows Recovery Environment then?

    Thursday, January 28, 2016 2:00 PM
  • Hi Michal Pleban,

    Here is a link for reference of that policy:
    BitLocker Group Policy Settings("Enable use of BitLocker authentication requiring preboot keyboard input on slates")
    https://technet.microsoft.com/en-us/library/jj679890.aspx?f=255&MSPPError=-2147217396

    "The Windows touch keyboard (such as used by tablets) is not available in the preboot environment where BitLocker requires additional information, such as a PIN or password.
    It is recommended that administrators enable this policy only for devices that are verified to have an alternative means of preboot input, such as attaching a USB keyboard.
    When the Windows Recovery Environment is not enabled and this policy is not enabled, you cannot turn on BitLocker on a device that uses the Windows touch keyboard.
    If you do not enable this policy setting, the following options in the Require additional authentication at startup policy might not be available:
    •Configure TPM startup PIN: Required and Allowed
    •Configure TPM startup key and PIN: Required and Allowed
    •Configure use of passwords for operating system drives"

    If the Windows Recovery Environment is not enabled, it will be not available to enable Bitlocker. If it is available to enable Bitlocker, the Windows Recovery Environment should have been enabled. We could run "REAgentC /info" to check the Windows Recovery environment status.

    As the previous link pointed out, onscreen keyboard for the tablet should be supported by the device. Please confirm this with Surface Book OEM support.

    Best regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Friday, January 29, 2016 3:07 AM
    Moderator
  • Hi Michal Pleban,

    How about the issue, is there anything to update?

    Best regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Thursday, February 4, 2016 7:06 AM
    Moderator
  • You cannot use TPM+PIN without a physical keyboard!  You can use just the TPM protector. From an elevated command prompt, please do:

    manage-bde -protectors -add c: -TPM (assuming your OS is on C:)

    Or from Control Panel\System and Security\BitLocker Drive Encryption, click at "Change how drive is unlocked at startup" and choose "Let BitLocker automatically unlock my drive" option


    ~~~~~~~~~~~~~~~~~~~~

    • Proposed as answer by Afrezy Friday, February 19, 2016 1:37 AM
    Friday, February 19, 2016 1:37 AM
  • Bitlocker PIN is very recommened in Windows 7, because it really adds additional protection to it. In Windows 8 and Windows 10, if you are in UEFI, Bitlocker PIN is not so required, because UEFI has its own protection in boot sector (..or something like that).

    But the most intresting is, how to to log in to domain with a password without keyboard... it seems not being possible eather..

    Wednesday, March 2, 2016 6:31 PM
  • @yannara

    The PIN is preboot authentication and protects against cold boot attacks. With secure boot (win8 and higher), we are protected against that a little more, but still, people can freeze the RAM and take it out and read it, So the PIN is recommended on any OS.

    Thursday, March 3, 2016 7:08 AM
  • @yannara

    The PIN is preboot authentication and protects against cold boot attacks. With secure boot (win8 and higher), we are protected against that a little more, but still, people can freeze the RAM and take it out and read it, So the PIN is recommended on any OS.


    Thanks for the info! :)
    Thursday, March 3, 2016 7:51 AM