Initial situation

When BitLocker is enabled on a tablet with a startup PIN, you may experience the following difficulties because:

1. the PIN is not prompted at startup,
2. the key protectors are no longer enabled after the restart, and
3. the PIN, which must be entered and saved by the user, must be reassigned each time the system is restarted.

A keyboard is required to enter the PIN when the system is rebooted. If no keyboard is recognised on the first reboot after the key guard PIN has been created, the key guard will be deleted from the system. This is necessary so that the user is not locked out.

Mobile devices rarely have a keyboard attached, so a pre-boot keyboard is required. The pre-boot keyboard may be disabled and needs to be enabled via Group Policy „Enable the use of BitLocker authentication with required keyboard entry before booting on slates“.

To configure via Group Policy

1. Open Group Policy Editor and navigate to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.
2. Open the „Enable use of BitLocker authentification with required keyboard input before booting on slates“.

      3. Click the Enabled radio button, then click Apply and OK to save the changes.

      4. If the PIN is enabled, it is not possible to enter the PIN using the pre-boot keyboard at startup.

Alternative: Enabling Group Policy via the registry

If you prefer to customise Group Policy or settings via the registry value, follow these steps:

1. Open Registry Editor and navigate to  HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE.
2. Create a 32-bit DWORD value with the name „OSEnablePrebootInputProtectorsOnSlates“ and the value „1“.

      3. The adjusted registry value will be taken into account the next time the system is rebooted.