BitLocker Problem with SCCM 2012 and Surface Pro

Posted: July 3, 2013 in Configuration Manager, System Center Configuration Manager 2012
Tags: ,

Yesterday I was working on deploying Windows 8 Enterprise to Surface Pro for a customer and I ran into a problem with BitLocker.

When running the ‘Enable BitLocker’ step in the TS the following error message was returned;

Failed to run the action: Enable BitLocker.
No pre-boot keyboard or Windows Recovery Environment detected. The user may not be able to provide required input to unlock the volume. (Error: 803100B6; Source: Windows)

I enable BitLocker on laptops the exact same way with no problem, so I knew this problem was related to the device being a Surface Pro, so I did a quick search for it and found the following article by Niall Brady and clearly he deployed it without any problems.

So what was really the difference between this Surface Pro and the other laptops I deploy, UEFI.

When looking at the Niall’s article I see that he was using a regular Task Sequence and not a MDT Task Sequence, so I decided to try that just to check, and BitLocker was applied with no problems. So what is the difference between the steps in the regular Task Sequence and the MDT Task Sequence? Since this is working on my regular laptops I decided to start looking at the steps that only run on UEFI machines first, more specific the ‘Format and Partition Disk (UEFI)’ step and compared it to the same step in the regular Task sequence;


As you can see above there is a difference in this step between the MDT TS and the regular TS when it comes to the 300MB Recovery Partition, this partition is set as a primary partition in the MDT TS and as a Recovery partition in the regular TS.

So I edited the step in the MDT TS and changed the Partition type from Primary to Recovery;


Now BitLocker was also applied successfully to the Surface Pro using the MDT Task Sequence and everybody was happy.

Not sure why this Partition is set as a Primary partition in the MDT TS by default, could be a bug? Please feel free to enlighten me in the comment field.

  1. Jacob says:

    wow nice catch

  2. Verno says:

    Thanks for the tip! So does this work with pre-provisioning?

  3. Chris says:

    Thanks for the post, I had made sure the “Format and Partition Disk” had the recovery partition but it still wasn’t working. Then found another post as follows (I assume you need to make sure the recovery partition is set and add the following key to the registry before the “Enable Bitlocker Task”);

    HKLM\SOFTWARE\Policies\Microsoft\FVE\OSEnablePrebootInputProtectorsOnSlates and should have a value of 1

    Hope that helps anyone stuck on this issue.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s