Thursday, 14 March 2013

BitLocker issue while encrypting tablet devices

I recently implemented a BitLocker solution on a customer site as follows - note that this customer did not want to deploy Microsoft BitLocker and Administration Monitoring (MBAM) at this time.

  • ·         Configured TPM permissions in AD
  • ·         Created BitLocker GPO and linked to appropriate OU (require PIN)
  • ·         Encrypted test device (Windows 7 laptop) and verified recovery password in AD 

I was then presented with a Windows 8 Enterprise Acer W510 tablet to encrypt using the same GPO.

However BitLocker failed with the following error:

“Group policy settings require the creation of a startup PIN but a pre-boot keyboard is not available on this device. This user may not be able to provide required input to lock the volume”

Note that this is not a BitLocker issue but is a generic problem while encrypting tablet devices.

Obviously this issue occurs as the on-screen keyboard on a tablet is only available in the context of the operating system. It is not available in the pre-boot environment so the user would be unable to enter the TPM PIN. BitLocker detects this even if the tablet is connected to an external keyboard at the time.

There are two possible solutions:

    Option 1: BitLocker can be forced to encrypt the drive by using a new GP setting – however this setting is only available on Windows Server 2012 DCs. Also the user is required to use an external USB keyboard on all cold boots (or a USB numpad - they're smaller).

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drive

Enable use of BitLocker requiring keyboard input on slates

Option 2The tablet can be encrypted without requiring a PIN. This reduces you to single authentication (ie AD) but the drive cannot be removed from the device and accessed by “caddying” on another computer. This can often be enough for compliance.

No comments:

Post a Comment