I recently had to encrypt a Microsoft Surface Pro 4 using Bitlocker, and in our environment that means backing up the key to Active Directory. However, after the Surface was encrypted, running the “manage-bde -protectors -get C:” command showed it only had a TPM PCR Validation Profile, and was missing the Numerical Password ID that would be necessary in order to run adbackup on the protector. This was on Windows 10 Enterprise 1607.
When trying to add a new protector using the -RecoveryKey switch, there was an error saying “No pre-boot keyboard or Windows Recovery Environment detected. The user may not be able to provide required input to unlock the volume.” What’s even more puzzling is that this error occurred on just one of the Surface Pro 4’s, and the second one encrypted without a problem and had a Numerical Password ID as it should. As it turns out, this error message means the computer has no physical keyboard during pre-boot (even if the physical Surface keyboard is attached) even though that doesn’t matter for us since we’re not using a TPM pin to unlock the device.
The way to fix this is to make sure the following registry key exists with a value of 1. If it doesn’t exist, you will need to create it and set it to 1: