I
recently implemented a BitLocker solution on a customer site as follows - note
that this customer did not want to deploy Microsoft BitLocker and
Administration Monitoring (MBAM) at this time.
- · Configured TPM permissions in AD
- · Created BitLocker GPO and linked to appropriate OU (require PIN)
- · Encrypted test device (Windows 7 laptop) and verified recovery password in AD
I was then presented with a Windows 8 Enterprise Acer
W510 tablet to encrypt using
the same GPO.
However
BitLocker failed with the following error:
“Group
policy settings require the creation of a startup PIN but a pre-boot keyboard
is not available on this device. This user may not be able to provide required
input to lock the volume”
Note
that this is not a BitLocker issue but is a generic problem while encrypting
tablet devices.
Obviously this issue occurs as the on-screen keyboard on a tablet is only available in the context of the operating system. It is not available in the pre-boot environment so the user would be unable to enter the TPM PIN. BitLocker detects this even if the tablet is connected to an external keyboard at the time.
There
are two possible solutions:
Option 1: BitLocker
can be forced to encrypt the drive by using a new GP setting – however this
setting is only available on Windows Server 2012 DCs. Also the user is required to use
an external USB keyboard on all cold boots (or a USB numpad - they're smaller).
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drive
Enable use of BitLocker requiring keyboard input on slates
Option 2: The tablet can be encrypted without requiring a PIN. This reduces you to single authentication (ie AD) but the drive cannot be removed from the device and accessed by “caddying” on another computer. This can often be enough for compliance.
No comments:
Post a Comment