Deploy Tablets like Surface or Lenovo Helix with Windows 8.1 and BitLocker

A new setting of Windows 8 and Windows 8.1 does not allow to enable BitLocker on Tablets which have no keyboard available during Boot. It’s also not possible to enable BitLocker when they are attached to a dock or keyboard.

If you try to enable BitLocker in the Operating System manually or over PowerShell with this command:

Add-BitLockerKeyProtector c: -TpmAndPinProtector

 

You will get this error message, also when the tablet is connected to a keyboard:

No pre-boot keyboard detected. The user may not be able to provide required input to unlock the volume - 0x803100B5.

 

This means you are per default not able to enable BitLocker on these devices. One option is to install a Windows Recovery Environment Partition, the other option is a new Group Policy setting, which can be used to override this functionality.

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drive\Enable use of BitLocker authentication requiring preboot keyboard input on slates

This works if the operating system is already running, but what happens if we try to enable BitLocker in the OS Task Sequence with ConfigMgr. Then the Task Sequence will fail with this error:

 

To solve this problem we need to set this Group Policy setting during Task Sequence. The appropriate registry key is located under HKLM:\SOFTWARE\Policies\Microsoft\FVE with the name of OSEnablePrebootInputProtectorsOnSlates and should have a value of 1. The following commands will set the registry key to the correct value and should be called before the Enable BitLocker Task Sequence Step in ConfigMgr:

The task sequence execution engine failed executing the action (Enable BitLocker) in the group (Completion) with the error code 2150695094
Action output: ...
framework\tscore\encryptablevolume.cpp,1211)
m_pEncryptableVolume->ProtectKeyWithNumericalPassword( sRecoveryPwdId ), HRESULT=803100b6
(e:\nts_sccm_release\sms\client\osdeployment\bitlocker\bitlocker.cpp,607)
CreateRecoveryPassword(), HRESULT=803100b6
(e:\nts_sccm_release\sms\client\osdeployment\bitlocker\bitlocker.cpp,1290)
ConfigureKeyProtection( keyMode, pwdMode, pszStartupKeyVolume ), HRESULT=803100b6
(e:\nts_sccm_release\sms\client\osdeployment\bitlocker\bitlocker.cpp,1524)
pBitLocker->Enable( argInfo.keyMode, argInfo.passwordMode, argInfo.sStartupKeyVolume, argInfo.bWait ), HRESULT=803100b6
(e:\nts_sccm_release\sms\client\osdeployment\bitlocker\main.cpp,382)
'ProtectKeyWithNumericalPassword' failed (2150695094)

Failed to create recovery password. Ensure that Active Directory is properly configured for use with BitLocker,
no pre-boot keyboard or Windows Recovery Environment detected.
The user may not be able to provide required input to unlock the volume. (Error: 803100B6; Source: Windows)

powershell.exe -command "New-Item -Path HKLM:\SOFTWARE\Policies\Microsoft -Name FVE; Set-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\FVE -Name OSEnablePrebootInputProtectorsOnSlates -Value 1 -Type DWord -Force" 

An now you are able to deploy secure Tablets with BitLocker enabled. Smiley

Thomas Kurth
Follow me

Thomas Kurth

Principal Workplace Consultant at baseVISION AG
I’m a consultant, trainer and architect for workplace management and enterprise mobility projects with Microsoft Technologies in the past eight years. I love to push and design the modern workplace based on Windows 10, EM&S and O365 for my customers which is the only answer for the current security threats, agile world and the fast-changing business requirements of my customers. Important for me is to simplify and automate the operational processes, because there are the highest costs.

MCSEMCTCMCE
Thomas Kurth
Follow me