From 723c8cbac1c9a9f30fbd67161c1aa927b712e2b0 Mon Sep 17 00:00:00 2001 From: iadgovuser1 Date: Tue, 23 Jul 2019 08:50:38 -0400 Subject: [PATCH] markdownlint fixes and add changes for 1903 guidance --- BitLockerPolicies.csv | 3 +++ CONTRIBUTING.md | 4 +++- DISCLAIMER.md | 6 +++++- LICENSE.md | 2 ++ README.md | 49 ++++++++++++++++++++++++++----------------- 5 files changed, 43 insertions(+), 21 deletions(-) diff --git a/BitLockerPolicies.csv b/BitLockerPolicies.csv index 10a0b42..05c2b68 100644 --- a/BitLockerPolicies.csv +++ b/BitLockerPolicies.csv @@ -5,6 +5,9 @@ Computer Configuration > System > Device Installation > Device Installation Rest Computer Configuration > System > Device Installation > Device Installation Restrictions,Prevent installation of devices using drivers that match these device setup classes > Prevent installation of devices using drivers that match these device setup classes:,Enabled, ,HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceClassesRetroactive,1,Windows Vista+,Windows Server 2008+,Yes Computer Configuration > System > Power Management > Sleep Settings,Allow standby states (S1-S3) when sleeping (on battery),Disabled, ,HKLM\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab,DCSettingIndex,0,Windows Vista+,Windows Server 2008+,Yes Computer Configuration > System > Power Management > Sleep Settings,Allow standby states (S1-S3) when sleeping (plugged in),Disabled, ,HKLM\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab,ACSettingIndex,0,Windows Vista+,Windows Server 2008+,Yes +Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption,Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista),Enabled, ,HKLM\Software\Policies\Microsoft\FVE,ActiveDirectoryBackup,1,Yes (domain joined systems only) +Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption,Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista) > Require BitLocker backup to AD DS,Enabled, ,HKLM\Software\Policies\Microsoft\FVE,RequireActiveDirectoryBackup,1,Yes (domain joined systems only) +Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption,Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista) > Select BitLocker recovery information to store,Recovery passwords only, ,HKLM\Software\Policies\Microsoft\FVE,RequireActiveDirectoryBackup,1,Yes (domain joined systems only) Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption,Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later) > Select the encryption method for operating system drives,Enabled,XTS-AES 256-bit,HKLM\Software\Policies\Microsoft\FVE,EncryptionMethodWithXtsOs,7,Windows 10 1511+,Windows Server 2016+,Yes Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption,Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later) > Select the encryption method for fixed data drives,Enabled,XTS-AES 256-bit,HKLM\Software\Policies\Microsoft\FVE,EncryptionMethodWithXtsFdv,7,Windows 10 1511+,Windows Server 2016+,No Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption,Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later) > Select the encryption method for removable data drives,Enabled,XTS-AES 256-bit *or* AES-CBC 256-bit,HKLM\Software\Policies\Microsoft\FVE,EncryptionMethodWithXtsRdv,4 *or* 7,Windows 10 1511+,Windows Server 2016+,No diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 92bf031..814956a 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,6 +1,8 @@ +# Contributing + All contributions to this project will be released as follows: 1. If you are a U.S. government employee, then your changes are exempt from copyright in the U.S. and will be released under the [CC0 1.0](https://creativecommons.org/publicdomain/zero/1.0/) [Universal license](https://creativecommons.org/publicdomain/zero/1.0/legalcode) worldwide. 1. If you are a not a U.S. government employee, then your changes will be released under the [CC0 1.0](https://creativecommons.org/publicdomain/zero/1.0/) [Universal license](https://creativecommons.org/publicdomain/zero/1.0/legalcode) in the U.S. and worldwide. -By submitting a pull request, you are agreeing to comply with this waiver of copyright interest. \ No newline at end of file +By submitting a pull request, you are agreeing to comply with this waiver of copyright interest. diff --git a/DISCLAIMER.md b/DISCLAIMER.md index 3f84d42..dba95d1 100644 --- a/DISCLAIMER.md +++ b/DISCLAIMER.md @@ -1,4 +1,7 @@ +# Disclaimers + ## Disclaimer of Warranty + This Work is provided "as is." Any express or implied warranties, including but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. In no event shall the United States Government be liable for any direct, indirect, incidental, special, exemplary or consequential damages (including, but not limited to, procurement of substitute goods or services, loss of use, data or profits, or business interruption) however caused and on any theory of liability, whether in contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use of this Guidance, even if advised of the possibility of such damage. The User of this Work agrees to hold harmless and indemnify the United States Government, its agents and employees from every claim or liability (whether in tort or in contract), including attorneys' fees, court costs, and expenses, arising in direct consequence of Recipient's use of the item, including, but not limited to, claims or liabilities made for injury to or death of personnel of User or third parties, damage to or destruction of property of User or third parties, and infringement or other violations of intellectual property or technical data rights. @@ -6,4 +9,5 @@ The User of this Work agrees to hold harmless and indemnify the United States Go Nothing in this Work is intended to constitute an endorsement, explicit or implied, by the United States Government of any particular manufacturer's product or service. ## Disclaimer of Endorsement -Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise, in this Work does not constitute an endorsement, recommendation, or favoring by the United States Government and shall not be used for advertising or product endorsement purposes. \ No newline at end of file + +Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise, in this Work does not constitute an endorsement, recommendation, or favoring by the United States Government and shall not be used for advertising or product endorsement purposes. diff --git a/LICENSE.md b/LICENSE.md index 4b97bdb..3fb47ca 100644 --- a/LICENSE.md +++ b/LICENSE.md @@ -1,3 +1,5 @@ +# License + This Work was prepared by a United States Government employee and, therefore, is excluded from copyright by Section 105 of the Copyright Act of 1976. Copyright and Related Rights in the Work worldwide are waived through the [CC0 1.0](https://creativecommons.org/publicdomain/zero/1.0/) [Universal license](https://creativecommons.org/publicdomain/zero/1.0/legalcode). diff --git a/README.md b/README.md index 07e8fbd..193f8a5 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,7 @@ # BitLocker Guidance -## About Microsoft BitLocker +## About Microsoft BitLocker + [Microsoft BitLocker](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview) is a full volume encryption feature built into Windows. BitLocker is intended to protect data on devices that have been lost or stolen. BitLocker is available in the Ultimate and Enterprise editions of Windows Vista and Windows 7, in the Professional and Enterprise editions of Windows 8/8.1, and in the Pro, Enterprise, and Education editions of Windows 10. BitLocker is also included in the Windows Server releases of Windows since Window Server 2008. The Windows 10 BitLocker modules have been [validated](https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules) against [NIST](http://www.nist.gov/) [FIPS 140-2](https://csrc.nist.gov/projects/cryptographic-module-validation-program) program multiple times: @@ -10,39 +11,45 @@ The Windows 10 BitLocker modules have been [validated](https://csrc.nist.gov/pro * January 26, 2017 certificate numbers [2932](https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/2932), [2933](https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/2933), and [2934](https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/2934). ## About this repository + This repository hosts [Group Policy Objects](./Group%20Policy%20Objects/Computer/), [compliance checks](./Compliance), and [configuration tools](./Scripts) in support of implementing BitLocker. A BitLocker PowerShell module has been provided to aid in provisioning BitLocker on standalone systems. [Microsoft BitLocker Administration and Monitoring](https://technet.microsoft.com/en-us/windows/hh826072.aspx) (MBAM) can be used for [provisioning BitLocker](https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/) on domain joined systems. ## BitLocker settings -NSA Information Assurance recommends using BitLocker settings from the Microsoft [Windows Security Baseline](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-security-baselines), available in the [Security Compliance Toolkit](https://docs.microsoft.com/en-us/windows/security/threat-protection/security-compliance-toolkit-10), with the following exceptions: + +NSA Cybersecurity recommends using the newest BitLocker settings in the Microsoft [Windows Security Baseline](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-security-baselines), available in the [Security Compliance Toolkit](https://docs.microsoft.com/en-us/windows/security/threat-protection/security-compliance-toolkit-10), with the following modifications: * The **Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)** > **Select the encryption method for removable data drives** policy under can be set to **XTS-AES 256-bit** *or* **AES-CBC 256-bit** instead of just AES-CBC 256-bit. AES-CBC 256-bit is allowed so operating system releases before Windows 10 1511 will be able read the encrypted media. * The **Deny write access to removable drives not protected by BitLocker** policy under **Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Removable Data Drives** can be set to **Not Configured** instead of Enabled. BitLocker is not used for Data Loss Prevention in DoD. * The **Configure minimum PIN length for startup** policy under **Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives** can be set to **6** or higher instead of 7. A value of 6 aligns with the Mobile Device Fundamentals Protection Profile. * The **Disable new DMA devices when this computer is locked** policy under **Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption** can be set to **Enabled** *or* **Not Configured**. This policy has [known issues](https://support.microsoft.com/en-us/help/4057300/devices-not-working-before-log-on-a-computer-running-windows-10-1709) that may lead to certain built-in devices (network, audio, etc) not working, or a slow system boot, in Windows 10 1709. * Any settings that reinforce default behaviors are considered optional for configuration: - * **Allow Secure Boot for integrity validation** policy under **Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives** can be set to **Enabled** *or* **Not Configured**. + * **Allow Secure Boot for integrity validation** policy under **Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives** can be set to **Enabled** *or* **Not Configured**. * PIN settings are only required when a startup PIN is desired. ### General settings + **[View the policies as a CSV](./BitLockerPolicies.csv) which is easier to read than the table below and is also searchable.** | Policy Path | Policy Name | Policy State | Policy Value | Registry Path | Registry Value Name | Registry Data Value | Applicable Client | Applicable Server | Required for Applicable OS | -| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | +| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | | Computer Configuration > System > Device Installation > Device Installation Restrictions | Prevent installation of devices that match any of these Device IDs > Prevent installation of devices that match any of these Device IDs: | Enabled | PCI\CC_0C0A | HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions | DenyDeviceIDs | 1 | Windows Vista+ | Windows Server 2008+ | Yes | | Computer Configuration > System > Device Installation > Device Installation Restrictions | Prevent installation of devices that match any of these Device IDs > Prevent installation of devices that match any of these Device IDs: | Enabled | | HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions | DenyDeviceIDsRetroactive | 1 | Windows Vista+ | Windows Server 2008+ | Yes | | Computer Configuration > System > Device Installation > Device Installation Restrictions | Prevent installation of devices using drivers that match these device setup classes > Prevent installation of devices using drivers that match these device setup classes: | Enabled | {d48179be-ec20-11d1-b6b8-00c04fa372a7} | HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions | DenyDeviceClasses | 1 | Windows Vista+ | Windows Server 2008+ | Yes | | Computer Configuration > System > Device Installation > Device Installation Restrictions | Prevent installation of devices using drivers that match these device setup classes > Prevent installation of devices using drivers that match these device setup classes: | Enabled | | HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions | DenyDeviceClassesRetroactive | 1 | Windows Vista+ | Windows Server 2008+ | Yes | | Computer Configuration > System > Power Management > Sleep Settings | Allow standby states (S1-S3) when sleeping (on battery) | Disabled | | HKLM\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab | DCSettingIndex | 0 | Windows Vista+ | Windows Server 2008+ | Yes | | Computer Configuration > System > Power Management > Sleep Settings | Allow standby states (S1-S3) when sleeping (plugged in) | Disabled | | HKLM\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab | ACSettingIndex | 0 | Windows Vista+ | Windows Server 2008+ | Yes | +| Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption,Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista),Enabled | | HKLM\Software\Policies\Microsoft\FVE,ActiveDirectoryBackup | 1 | Yes (domain joined systems only) } +| Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption,Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista) > Require BitLocker backup to AD DS | Enabled | | HKLM\Software\Policies\Microsoft\FVE | RequireActiveDirectoryBackup | 1 | Yes (domain joined systems only) } +| Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption,Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista) > Select BitLocker recovery information to store | Recovery passwords only | | HKLM\Software\Policies\Microsoft\FVE | RequireActiveDirectoryBackup | 1 | Yes (domain joined systems only) } | Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption | Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later) > Select the encryption method for operating system drives | Enabled | XTS-AES 256-bit | HKLM\Software\Policies\Microsoft\FVE | EncryptionMethodWithXtsOs | 7 | Windows 10 1511+ | Windows Server 2016+ | Yes | | Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption | Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later) > Select the encryption method for fixed data drives | Enabled | XTS-AES 256-bit | HKLM\Software\Policies\Microsoft\FVE | EncryptionMethodWithXtsFdv | 7 | Windows 10 1511+ | Windows Server 2016+ | No | | Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption | Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later) > Select the encryption method for removable data drives | Enabled | XTS-AES 256-bit *or* AES-CBC 256-bit | HKLM\Software\Policies\Microsoft\FVE | EncryptionMethodWithXtsRdv | 4 *or* 7 | Windows 10 1511+ | Windows Server 2016+ | No | | Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption | Choose drive encryption method and cipher strength (Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10 [Version 1507]) > Select encryption method | Enabled | AES 256-bit | HKLM\Software\Policies\Microsoft\FVE | EncryptionMethodNoDiffuser | 4 | Windows 8 - Windows 10 1507 | Windows Server 2012 - Windows Server 2012 R2 | Yes | -| Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption | Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2) > Select encryption method | Enabled | AES 256-bit | HKLM\Software\Policies\Microsoft\FVE | EncryptionMethod | 2 | Windows Vista - Windows 7 | Windows Server 2008 - Windows Server 2008 R2 | Yes | +| Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption | Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2) > Select encryption method | Enabled | AES 256-bit | HKLM\Software\Policies\Microsoft\FVE | EncryptionMethod | 2 | Windows Vista - Windows 7 | Windows Server 2008 - Windows Server 2008 R2 | Yes | | Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption | Disable new DMA devices when this computer is locked | Enabled | | HKLM\Software\Policies\Microsoft\FVE | DisableExternalDMAUnderLock | 1 | Windows 10 1703+ | N/A | Yes | -| Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives | Allow Secure Boot for integrity validation | Enabled *or* Not Configured | | HKLM\Software\Policies\Microsoft\FVE | OSAllowSecureBootForIntegrity *or* not exist | 1 *or* not exist | Windows 8+ | Windows Server 2012+ | No | +| Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives | Allow Secure Boot for integrity validation | Enabled *or* Not Configured | | HKLM\Software\Policies\Microsoft\FVE | OSAllowSecureBootForIntegrity *or* not exist | 1 *or* not exist | Windows 8+ | Windows Server 2012+ | No | ### PIN related settings @@ -52,40 +59,41 @@ Some environments may desire additional protection provided by a BitLocker start | Policy Path | Policy Name | Policy State | Policy Value | Registry Path | Registry Value Name | Registry Data Value | Applicable Client | Applicable Server | Required for Applicable OS | | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | -| Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives | Allow enhanced PINs for startup | Enabled | | HKLM\Software\Policies\Microsoft\FVE | UseEnhancedPin | 1 | Windows 7+ | Windows Server 2008 R2+ | Yes | -| Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives | Configure minimim PIN length for startup | Enabled | 6 *or* larger value | HKLM\Software\Policies\Microsoft\FVE | MinimumPIN | 6 *or* larger | Windows 7+ | Windows Server 2008 R2+ | Yes | +| Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives | Allow enhanced PINs for startup | Enabled | | HKLM\Software\Policies\Microsoft\FVE | UseEnhancedPin | 1 | Windows 7+ | Windows Server 2008 R2+ | Yes | +| Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives | Configure minimum PIN length for startup | Enabled | 6 *or* larger value | HKLM\Software\Policies\Microsoft\FVE | MinimumPIN | 6 *or* larger | Windows 7+ | Windows Server 2008 R2+ | Yes | | | | | | | | | | | | -Administrators may need to configure [BitLocker Network Unlock](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock) ensure systems apply updates without requiring a user be physically present to enter a PIN at system boot. +Administrators may need to configure [BitLocker Network Unlock](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock) to ensure systems apply updates without requiring a user be physically present to enter a PIN at system boot. -## BitLocker Group Policy +## BitLocker Group Policy The Microsoft Security Compliance Toolkit contains BitLocker Group Policy Objects (GPO) for each Windows 10 operating system release's Windows Security Baseline. The GPOs can be used to configure and manage domain joined as well as standalone systems. - -If using MBAM to configure and manage BitLocker on domain joined systems, then download the [Microsoft Desktop Optimization Pack (MDOP) Group Policy templates](https://www.microsoft.com/en-us/download/confirmation.aspx?id=55531) since they contain the [MBAM Group Policy settings](https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/planning-for-mbam-25-group-policy-requirements). - +If using MBAM to configure and manage BitLocker on domain joined systems, then download the [Microsoft Desktop Optimization Pack (MDOP) Group Policy templates](https://www.microsoft.com/en-us/download/confirmation.aspx?id=55531) since they contain the [MBAM Group Policy settings](https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/planning-for-mbam-25-group-policy-requirements). ### Importing the BitLocker domain Group Policy -Use the PowerShell Group Policy commands to import the BitLocker Group Policy into a domain. Run the following command on a domain controller from a PowerShell prompt running as a domain administrator. -``` +Use the PowerShell Group Policy commands to import the BitLocker Group Policy into a domain. Run the following command on a domain controller from a PowerShell prompt running as a domain administrator. + +```powershell Invoke-ApplySecureHostBaseline -Path '.\Secure-Host-Baseline' -PolicyNames 'BitLocker' ``` ### Importing the AppLocker local Group Policy + Use Microsoft's LGPO tool to apply the BitLocker Group Policy to a standalone system. Run the following command from a command prompt running as a local administrator. -``` +```powershell Invoke-ApplySecureHostBaseline -Path '.\Secure-Host-Baseline' -PolicyNames 'BitLocker' -ToolPath '.\LGPO\lgpo.exe' ``` ## Common issues ### Conflicting BitLocker startup options + * **Issue**: Error message: *The Group Policy settings for BitLocker startup options are in conflict and cannot be applied*. Error code: 0x8031005B * **Explanation**: The 'Require additional authentication at startup' policy description text can be misleading on how to correctly configure it. -* **Resolution**: +* **Resolution**: 1. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** 1. Change the **Require additional authentication at startup** policy to configure all 4 dropdown menu options to **Allow** *OR* set 1 option to **Require** and the other 3 options to **Do not allow**. 1. Run **gpupdate /force** from the command line. @@ -94,16 +102,19 @@ Invoke-ApplySecureHostBaseline -Path '.\Secure-Host-Baseline' -PolicyNames 'BitL * **Issue**: Error message: *No pre-boot keyboard detected. The user may not be able to provide required input to unlock the volume*. Error code: 0x803100B5 * **Explanation**: BitLocker checks if the system is a tablet. If it is a tablet, then BitLocker displays the above error message when trying to use a PIN protector. BitLocker doesn't check if the system supports a pre-boot keyboard. Some tablets may have a BIOS that supports a software keyboard. For example, the [Dell Venue 11 Pro](http://www.dell.com/support/Article/us/en/19/SLN293013/EN), [Surface Pro 3, and Surface Pro 4](https://blogs.technet.microsoft.com/askpfeplat/2014/07/13/bitlocker-pin-on-surface-pro-3-and-other-tablets/) support entering a BitLocker PIN at pre-boot with a BIOS software keyboard. Some tablets may have detachable keyboard that works during pre-boot. For example, the Surface Pro 2 with [firmware update from March 2014](https://www.microsoft.com/surface/en-us/support/install-update-activate/pro-2-history), Surface Pro 3, and Surface Pro 4 support entering a BitLocker PIN at pre-boot with their detachable keyboards. If the tablet does not support a BIOS software keyboard or a detachable keyboard that works during pre-boot, then configuring the below policy will require a USB keyboard be plugged into the tablet to enter a BitLocker PIN at pre-boot. Contact the OEM to inquire about tablet support for this specific scenario. -* **Resolution**: +* **Resolution**: 1. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** 1. Set the **Enable use of BitLocker authentication requiring preboot keyboard input on slates** policy to **Enabled**. 1. Run **gpupdate /force** from the command line. ## License + See [LICENSE](./LICENSE.md). ## Contributing + See [CONTRIBUTING](./CONTRIBUTING.md). ## Disclaimer -See [DISCLAIMER](./DISCLAIMER.md). \ No newline at end of file + +See [DISCLAIMER](./DISCLAIMER.md).