Issues Backing Up Bitlocker Keys to AD on Surface Pro 4

I recently had to encrypt a Microsoft Surface Pro 4 using Bitlocker, and in our environment that means backing up the key to Active Directory. However, after the Surface was encrypted, running the “manage-bde -protectors -get C:” command showed it only had a TPM PCR Validation Profile, and was missing the Numerical Password ID that would be necessary in order to run adbackup on the protector. This was on Windows 10 Enterprise 1607.

When trying to add a new protector using the -RecoveryKey switch, there was an error saying “No pre-boot keyboard or Windows Recovery Environment detected. The user may not be able to provide required input to unlock the volume.” What’s even more puzzling is that this error occurred on just one of the Surface Pro 4’s, and the second one encrypted without a problem and had a Numerical Password ID as it should. As it turns out, this error message means the computer has no physical keyboard during pre-boot (even if the physical Surface keyboard is attached) even though that doesn’t matter for us since we’re not using a TPM pin to unlock the device.

The way to fix this is to make sure the following registry key exists with a value of 1. If it doesn’t exist, you will need to create it and set it to 1:

HKLM\SOFTWARE\Policies\Microsoft\FVE\OSEnablePrebootInputProtectorsOnSlates

After making the registry change, restart the device just to be safe, and you should now be able to create a Numerical Password ID if TPM is already enabled. To do this, you will need to use the -RecoveryPassword switch as described on the Manage-bde.exe Parameter Reference page on Microsoft Technet. You should now be able to run the usual “manage-bde -protectors -adbackup” command to backup the newly created Numerical Password ID to active directory.

Note: if you simply change the registry key and then enable Bitlocker through the Control Panel, it may automatically create the Numerical Password ID and automatically write it to AD if the computer is joined and if your AD is configured this way. In that case, you wouldn’t need to worry about the manual manage-bde commands.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.