A new setting of Windows 8 and Windows 8.1 does not allow to enable BitLocker on Tablets which have no keyboard available during Boot. It’s also not possible to enable BitLocker when they are attached to a dock or keyboard.
If you try to enable BitLocker in the Operating System manually or over PowerShell with this command:
Add-BitLockerKeyProtector c: -TpmAndPinProtector
You will get this error message, also when the tablet is connected to a keyboard:
No pre-boot keyboard detected. The user may not be able to provide required input to unlock the volume - 0x803100B5.
This means you are per default not able to enable BitLocker on these devices. One option is to install a Windows Recovery Environment Partition, the other option is a new Group Policy setting, which can be used to override this functionality.
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drive\Enable use of BitLocker authentication requiring preboot keyboard input on slates
This works if the operating system is already running, but what happens if we try to enable BitLocker in the OS Task Sequence with ConfigMgr. Then the Task Sequence will fail with this error:
To solve this problem we need to set this Group Policy setting during Task Sequence. The appropriate registry key is located under HKLM:\SOFTWARE\Policies\Microsoft\FVE with the name of OSEnablePrebootInputProtectorsOnSlates and should have a value of 1. The following commands will set the registry key to the correct value and should be called before the Enable BitLocker Task Sequence Step in ConfigMgr:
The task sequence execution engine failed executing the action (Enable BitLocker) in the group (Completion) with the error code 2150695094 Action output: ... framework\tscore\encryptablevolume.cpp,1211) m_pEncryptableVolume->ProtectKeyWithNumericalPassword( sRecoveryPwdId ), HRESULT=803100b6 (e:\nts_sccm_release\sms\client\osdeployment\bitlocker\bitlocker.cpp,607) CreateRecoveryPassword(), HRESULT=803100b6 (e:\nts_sccm_release\sms\client\osdeployment\bitlocker\bitlocker.cpp,1290) ConfigureKeyProtection( keyMode, pwdMode, pszStartupKeyVolume ), HRESULT=803100b6 (e:\nts_sccm_release\sms\client\osdeployment\bitlocker\bitlocker.cpp,1524) pBitLocker->Enable( argInfo.keyMode, argInfo.passwordMode, argInfo.sStartupKeyVolume, argInfo.bWait ), HRESULT=803100b6 (e:\nts_sccm_release\sms\client\osdeployment\bitlocker\main.cpp,382) 'ProtectKeyWithNumericalPassword' failed (2150695094) Failed to create recovery password. Ensure that Active Directory is properly configured for use with BitLocker, no pre-boot keyboard or Windows Recovery Environment detected. The user may not be able to provide required input to unlock the volume. (Error: 803100B6; Source: Windows)
powershell.exe -command "New-Item -Path HKLM:\SOFTWARE\Policies\Microsoft -Name FVE; Set-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\FVE -Name OSEnablePrebootInputProtectorsOnSlates -Value 1 -Type DWord -Force"
An now you are able to deploy secure Tablets with BitLocker enabled.
Latest posts by Thomas Kurth (see all)
- Office 365 DLP – Add detection of the swiss social id to detect personal data - February 8, 2019
- Take action: Default permissions in the Microsoft Compliance Manager gives all users full access - February 2, 2019
- Test connectivity to various Azure and O365 services - January 9, 2019