Enabling pin authentication on surface pro 3, Encrypting during mdt deployment – Microsoft Surface 3 User Manual
Page 158
© 2014 Microsoft
Page 158
Enabling PIN Authentication on Surface Pro 3
Although the on-screen keyboard is provided in the preboot environment on Surface Pro 3 devices, keyboard input is
not always provided by other touch devices, such as Surface Pro 2. To ensure that Surface Pro 2 devices are not
configured for PIN authentication and thus resulting in a tablet that requires a PIN at boot, but no interface to enter that
PIN, a group policy is included in Windows Server 2012 or later that prohibits tablet devices (formerly known as slate
devices) from using PIN authentication. The Enable use of Bitlocker authentication requiring preboot keyboard input
on slates group policy can be used to enable PIN authentication on Surface Pro 3 devices.
It is recommended that this group policy be applied only to Surface Pro 3 devices or other devices with support for the
onscreen keyboard in the preboot environment. If this policy is enabled for devices without preboot keyboard support,
they will require a physical keyboard to be connected to move past the PIN authentication prompt.
Encrypting During MDT Deployment
The Microsoft Deployment Toolkit (MDT) can perform encryption during the deployment process. Having the encryption
performed during deployment both increases the efficiency of the encryption process and ensures that devices are
encrypted from the moment they enter the hands of end users.
Note: It is recommended to store BitLocker recovery keys when performing a deployment with encryption. The recovery
keys can be stored in Active Directory with the Choose how BitLocker-protected operating system drives can be
recovered group policy. They can also be stored with Microsoft BitLocker Administration and Management (MBAM), a
tool provided by the Microsoft Desktop Optimization Pack (MDOP). If a policy for storing the recovery key is not set,
MDT will enable BitLocker but the recovery key will not be stored.
The BitLocker encryption steps are automatically enabled in task sequences created through the Standard Client Task
Sequence template. These steps will run to enable BitLocker when the option to encrypt the deployed computer is
selected in the Windows Deployment Wizard. If the Windows Deployment Wizard is suppressed, the option to encrypt
must be configured through rules in the customsettings.ini file. To configure rules to enable encryption only on Surface
Pro 3 devices, use the model variable as described in the
Customizing Task Sequence Selection by Model section of
To configure customsettings.ini for encryption of Surface Pro 3 devices, add the following rules to the [Surface Pro 3]
section.
BDEInstallSuppress – This rule should be set to NO to ensure that BitLocker Drive Encryption will not be
suppressed.
BDEAllowAlphaNumericPin – This rule can be set to YES to enable letters and numbers in the PIN for BitLocker.
It can be set to NO to allow only numbers in the PIN.
BDEDriveLetter – The default drive letter for the operating system partition during deployment is S:, set this
rule to S:.
BDEDriveSize – This rule defines the size of the BitLocker system partition in MB. In the provided example this
partition is set to 1000MB, or almost 1GB.
BDEInstall – This rule defines the protectors used to authenticate access to the encrypted data. This rule can be
configured to TPM to enable only the TPM protector, or to TPMPin if the group policy governing the Surface Pro
3 device will be configured to allow use of a PIN.