Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, August 7, 2018 2:38 PM
I'm setting up a Surface Pro 5 - m3, Windows 10. I have enabled several options for Bitlocker via GPO, one of which is Require additional authentication at startup, so that the user must enter a PIN before windows will load.
Using rsop.msc, I can see that the relevant GPO is enabled.
However, when i come to activate/manage bitlocker, there is no option to set a PIN, just to use a USB flash drive, or have it unlocked automatically.
This same policy has worked fine on the last 5+ Dell Optiplex and Inspiron desktops that I have set up, but I cannot figure out what the problem is with this tablet?!
Also, device manager shows that that TPM is version 2.0, and is working correctly.
All replies (3)
Thursday, August 9, 2018 11:03 AM ✅Answered
I needed to enable "Enable use of BitLocker Authentication requiring preboot keyboard input on slates" in my GPO.
Wednesday, August 8, 2018 6:38 AM
Hi,
Are you suffering from the missing Authenticated Users in the delegation tab of your new GPO? You've removed Authenticated Users from the scope tab (that's fine) but then you have to add the Authenticated users group to your Delegation tab with READ permissions.
Have you checked if any system event log could provide some information?
Run "gpresult /v >output.txt" this not only showed you what was being applied but what the setting was. If another GPO was setting was enabled and set with a higher precident than the default.
Regards,
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Wednesday, August 8, 2018 2:30 PM
Hi Carl,
Thanks for your reply.
Authenticated Users has READ and APPLY GROUP POLICY allowed.
I'm not sure where to look regarding the system event log - could you tell me what events pertain to BitLocker GPOs being active but not implemented?
Please see below for the result of gpresult ...
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
¸ 2018 Microsoft Corporation. All rights reserved.
Created on ?08/?08/?2018 at 15:20:50
RSOP data for on XXX : Logging Mode
OS Configuration: Member Workstation
OS Version: 10.0.17134
Site Name: XXX
Roaming Profile:
Local Profile:
Connected over a slow link?: No
COMPUTER SETTINGS
CN=XXX,OU=XXX,OU=Computers,OU=MyBusiness,DC=XXX,DC=XXX
Last time Group Policy was applied: 07/08/2018 at 14:21:45
Group Policy was applied from: XXX.XXX.XXX
Group Policy slow link threshold: 500 kbps
Domain Name: XXX
Domain Type: Windows 2008 or later
Applied Group Policy Objects
Windows Update - Clients
Time Sync Clients
Default Domain Policy
Bitlocker Policy
The following GPOs were not applied because they were filtered out
Local Group Policy
Filtering: Not Applied (Empty)
The computer is a part of the following security groups
BUILTIN\Administrators
Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
This Organization
XXX
Domain Computers
Authentication authority asserted identity
System Mandatory Level
Resultant Set Of Policies for Computer
Software Installations
N/A
Startup Scripts
N/A
Shutdown Scripts
N/A
Account Policies
GPO: Default Domain Policy
Policy: MaximumPasswordAge
Computer Setting: 60
GPO: Default Domain Policy
Policy: MinimumPasswordAge
Computer Setting: 2
GPO: Default Domain Policy
Policy: LockoutBadCount
Computer Setting: N/A
GPO: Default Domain Policy
Policy: PasswordHistorySize
Computer Setting: 12
GPO: Default Domain Policy
Policy: MinimumPasswordLength
Computer Setting: 8
Audit Policy
N/A
User Rights
N/A
Security Options
GPO: Default Domain Policy
Policy: PasswordComplexity
Computer Setting: Enabled
GPO: Default Domain Policy
Policy: ClearTextPassword
Computer Setting: Not Enabled
GPO: Default Domain Policy
Policy: ForceLogoffWhenHourExpire
Computer Setting: Not Enabled
GPO: Default Domain Policy
Policy: RequireLogonToChangePassword
Computer Setting: Not Enabled
GPO: Default Domain Policy
Policy: LSAAnonymousNameLookup
Computer Setting: Not Enabled
GPO: Default Domain Policy
Policy: @wsecedit.dll,-59058
ValueName: MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash
Computer Setting: 1
Event Log Settings
N/A
Restricted Groups
N/A
System Services
N/A
Registry Settings
N/A
File System Settings
N/A
Public Key Policies
N/A
Administrative Templates
GPO: Bitlocker Policy
Folder Id: Software\Policies\Microsoft\FVE\OSActiveDirectoryBackup
Value: 1, 0, 0, 0
State: Enabled
GPO: Time Sync Clients
Folder Id: Software\Policies\Microsoft\W32time\TimeProviders\NtpClient\EventLogFlags
Value: 0, 0, 0, 0
State: Enabled
GPO: Bitlocker Policy
Folder Id: Software\Policies\Microsoft\FVE\FDVManageDRA
Value: 1, 0, 0, 0
State: Enabled
GPO: Time Sync Clients
Folder Id: Software\Policies\Microsoft\W32time\TimeProviders\NtpClient\Enabled
Value: 1, 0, 0, 0
State: Enabled
GPO: Bitlocker Policy
Folder Id: Software\Policies\Microsoft\FVE\FDVActiveDirectoryBackup
Value: 1, 0, 0, 0
State: Enabled
GPO: Bitlocker Policy
Folder Id: Software\Policies\Microsoft\FVE\FDVRecoveryKey
Value: 2, 0, 0, 0
State: Enabled
GPO: Windows Update - Clients
Folder Id: Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoRebootWithLoggedOnUsers
Value: 1, 0, 0, 0
State: Enabled
GPO: Bitlocker Policy
Folder Id: Software\Policies\Microsoft\FVE\OSActiveDirectoryInfoToStore
Value: 1, 0, 0, 0
State: Enabled
GPO: Bitlocker Policy
Folder Id: Software\Policies\Microsoft\FVE\OSRecovery
Value: 1, 0, 0, 0
State: Enabled
GPO: Bitlocker Policy
Folder Id: Software\Policies\Microsoft\FVE\OSHideRecoveryPage
Value: 0, 0, 0, 0
State: Enabled
GPO: Bitlocker Policy
Folder Id: Software\Policies\Microsoft\FVE\OSRecoveryKey
Value: 2, 0, 0, 0
State: Enabled
GPO: Bitlocker Policy
Folder Id: Software\Policies\Microsoft\FVE\EncryptionMethod
Value: 3, 0, 0, 0
State: Enabled
GPO: Bitlocker Policy
Folder Id: Software\Policies\Microsoft\FVE\UseTPMKey
Value: 2, 0, 0, 0
State: Enabled
GPO: Default Domain Policy
Folder Id: Software\Policies\Microsoft\Windows\System\EnableLogonScriptDelay
Value: 1, 0, 0, 0
State: Enabled
GPO: Bitlocker Policy
Folder Id: Software\Policies\Microsoft\TPM\RequireActiveDirectoryBackup
Value: 1, 0, 0, 0
State: Enabled
GPO: Time Sync Clients
Folder Id: Software\Policies\Microsoft\W32time\TimeProviders\NtpClient\SpecialPollInterval
Value: 16, 14, 0, 0
State: Enabled
GPO: Time Sync Clients
Folder Id: Software\Policies\Microsoft\W32time\Parameters\NtpServer
Value: 49, 0, 57, 0, 50, 0, 46, 0, 49, 0, 54, 0, 56, 0, 46, 0, 49, 0, 54, 0, 46, 0, 50, 0, 49, 0, 49, 0, 0, 0
State: Enabled
GPO: Bitlocker Policy
Folder Id: Software\Policies\Microsoft\FVE\OSManageDRA
Value: 1, 0, 0, 0
State: Enabled
GPO: Time Sync Clients
Folder Id: Software\Policies\Microsoft\W32time\TimeProviders\NtpClient\ResolvePeerBackoffMinutes
Value: 15, 0, 0, 0
State: Enabled
GPO: Bitlocker Policy
Folder Id: Software\Policies\Microsoft\FVE\OSEncryptionType
Value: 1, 0, 0, 0
State: Enabled
GPO: Bitlocker Policy
Folder Id: Software\Policies\Microsoft\FVE\FDVRecovery
Value: 1, 0, 0, 0
State: Enabled
GPO: Bitlocker Policy
Folder Id: Software\Policies\Microsoft\FVE\ActiveDirectoryBackup
Value: 1, 0, 0, 0
State: Enabled
GPO: Bitlocker Policy
Folder Id: Software\Policies\Microsoft\FVE\RequireActiveDirectoryBackup
Value: 1, 0, 0, 0
State: Enabled
GPO: Windows Update - Clients
Folder Id: Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate
Value: 0, 0, 0, 0
State: Enabled
GPO: Bitlocker Policy
Folder Id: Software\Policies\Microsoft\FVE\FDVActiveDirectoryInfoToStore
Value: 1, 0, 0, 0
State: Enabled
GPO: Bitlocker Policy
Folder Id: Software\Policies\Microsoft\FVE\DisallowStandardUserPINReset
Value: 1, 0, 0, 0
State: Enabled
GPO: Bitlocker Policy
Folder Id: Software\Policies\Microsoft\FVE\UseTPMPIN
Value: 2, 0, 0, 0
State: Enabled
GPO: Windows Update - Clients
Folder Id: Software\Policies\Microsoft\Windows\WindowsUpdate\AU\AUOptions
Value: 4, 0, 0, 0
State: Enabled
GPO: Bitlocker Policy
Folder Id: Software\Policies\Microsoft\FVE\EncryptionMethodNoDiffuser
Value: 3, 0, 0, 0
State: Enabled
GPO: Bitlocker Policy
Folder Id: Software\Policies\Microsoft\FVE\ActiveDirectoryInfoToStore
Value: 1, 0, 0, 0
State: Enabled
GPO: Time Sync Clients
Folder Id: Software\Policies\Microsoft\W32time\Parameters\Type
Value: 78, 0, 84, 0, 80, 0, 0, 0
State: Enabled
GPO: Bitlocker Policy
Folder Id: Software\Policies\Microsoft\FVE\UseAdvancedStartup
Value: 1, 0, 0, 0
State: Enabled
GPO: Default Domain Policy
Folder Id: Software\Policies\Microsoft\Windows\System\AsyncScriptDelay
Value: 0, 0, 0, 0
State: Enabled
GPO: Bitlocker Policy
Folder Id: Software\Policies\Microsoft\FVE\FDVEncryptionType
Value: 2, 0, 0, 0
State: Enabled
GPO: Bitlocker Policy
Folder Id: Software\Policies\Microsoft\FVE\FDVRecoveryPassword
Value: 2, 0, 0, 0
State: Enabled
GPO: Bitlocker Policy
Folder Id: Software\Policies\Microsoft\FVE\OSRecoveryPassword
Value: 2, 0, 0, 0
State: Enabled
GPO: Bitlocker Policy
Folder Id: Software\Policies\Microsoft\FVE\UseTPMKeyPIN
Value: 2, 0, 0, 0
State: Enabled
GPO: Time Sync Clients
Folder Id: Software\Policies\Microsoft\W32time\TimeProviders\NtpClient\CrossSiteSyncFlags
Value: 2, 0, 0, 0
State: Enabled
GPO: Windows Update - Clients
Folder Id: Software\Policies\Microsoft\Windows\WindowsUpdate\AU\ScheduledInstallDay
Value: 7, 0, 0, 0
State: Enabled
GPO: Bitlocker Policy
Folder Id: Software\Policies\Microsoft\FVE\EnableBDEWithNoTPM
Value: 1, 0, 0, 0
State: Enabled
GPO: Bitlocker Policy
Folder Id: Software\Policies\Microsoft\FVE\UseTPM
Value: 2, 0, 0, 0
State: Enabled
GPO: Bitlocker Policy
Folder Id: Software\Policies\Microsoft\FVE\OSRequireActiveDirectoryBackup
Value: 1, 0, 0, 0
State: Enabled
GPO: Windows Update - Clients
Folder Id: Software\Policies\Microsoft\Windows\WindowsUpdate\AU\AutomaticMaintenanceEnabled
State: disabled
GPO: Bitlocker Policy
Folder Id: Software\Policies\Microsoft\FVE\FDVRequireActiveDirectoryBackup
Value: 1, 0, 0, 0
State: Enabled
GPO: Bitlocker Policy
Folder Id: Software\Policies\Microsoft\FVE\FDVHideRecoveryPage
Value: 0, 0, 0, 0
State: Enabled
GPO: Windows Update - Clients
Folder Id: Software\Policies\Microsoft\Windows\WindowsUpdate\AU\ScheduledInstallTime
Value: 7, 0, 0, 0
State: Enabled
GPO: Time Sync Clients
Folder Id: Software\Policies\Microsoft\W32time\TimeProviders\NtpClient\ResolvePeerBackoffMaxTimes
Value: 7, 0, 0, 0
State: Enabled
GPO: Bitlocker Policy
Folder Id: Software\Policies\Microsoft\TPM\ActiveDirectoryBackup
Value: 1, 0, 0, 0
State: Enabled