So you got your fancy Microsoft Surface Pro. Great. Now you want to do full-disk encryption with pre-boot authentication in case your device gets stolen. BitLocker can do this, but out-of-the-box this capability is turned off in BitLocker. Further, since the Surface can be used without the keyboard attached, you have to enable an additional option to force the PIN option as there is a failsafe to keep you from accidentally locking yourself out.
NOTE: To enter a PIN, the keyboard needs to be attached to the Surface before powering it on. Attaching it at the PIN entry screen does not work. Once you’ve entered the PIN, you can detach the keyboard if desired. A USB keyboard will also work, again, it needs to be attached before powering it on.
CAUTION: BitLocker with preboot authentication is mostly worthless if your device is just asleep. If your device is liable to be in danger–such as being unattended–be sure to hibernate or power off the machine. If security is of the upmost importance, use the power options to set the machine to not use sleep, but only to hibernate.
Here are the instructions for the Surface Pro, click the thumbnails to see the screenshots. If adapting these instructions for other devices, the TPM chip likely needs to be configured first. This is not applicable to the Surface, as it is already on and running.
(If you’re managing multiple Surfaces via Group Policy on Active Directory, go to the Group Policy Management MMC snap-in on your management workstation, create a GPO that will be applied to the Surfaces, open it to edit it, and then skip to step 4. Repeat steps 9 and 10 on each managed Surface you wish to configure. Scripting of BitLocker deployments is possible, but beyond the scope of this post.)
1. Go to the desktop on the surface
2. Hit the windows-key and R to open a command prompt.
3. Type in “gpedit.msc” to open the Local Group Policy Editor. Acknowledge or enter your credentials when UAC pops up. 4. Navigate to Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.
5. Double-click on the “Require additional authentication at startup” setting and set it to enabled. Set all options as desired (leaving the default selection that allows for everything works fine).
6. Double-click on the “Enable use of BitLocker authentication requiring preboot keyboard input on slates” setting and set it to enabled. Failing to set this setting will hide options that allow for PINs. If “Require additional authentication at startup” was configured to require PINs and this setting is set to Not Configure or Disabled, BitLocker will error with a message that the settings on the system are in conflict.
7. If you desire to use typical passwords (called enhanced PINs in BitLocker) instead of numerical PINs, double-click on the “Allow enhanced PINs for statup” setting and set it to enabled.
8. Consider setting the “Configure the minimum PIN length for startup” or the “Configure use of passwords for operating system drives” options if managing multiple Surfaces or you need to force these settings for whatever reason. Otherwise be sure to pick a secure password or PIN on your own.
9. Go to the Control Panel. If in the category view, click on “System and Security” and then the “Manage BitLocker” option. If in the large or small icons view, double-click on the Bitlocker Drive Encryption icon.
10. Hit “Turn on BitLocker.” At this point the onscreen prompts will adequately guide you and the built-in help is actually useful. Follow the onscreen prompts. When you get to the BitLocker startup preferences, be sure to choose the PIN option.