Friday , May 24 2019

Startup Options on this PC are Configured Incorrectly – Bit locker

Enabling Bitlocker giving Error in Surface Pro Devices –

Error : The Startup Options on This PC are Configured incorrectly. Contact your System Administrator For More Information

image\

 

Solution –

Use of BitLocker authentication requiring preboot keyboard has to be enabled In Group Policy

Enable use of BitLocker authentication requiring preboot keyboard input on slates – Enabled

image

Default Recommended Group Policy for Surface Pro Devices –

Policies/Administrative Templates/Windows Components/BitLocker Drive Encryption/Operating System Drives
Disallow standard users from changing the PIN or password – Enabled
Enable use of BitLocker authentication requiring preboot keyboard input on slates – Enabled
Require additional authentication at startup – Enabled

Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)
Settings for computers with a TPM:

Configure TPM startup: Do not allow TPM
Configure TPM startup PIN: Allow startup PIN with TPM
Configure TPM startup key: Do not allow startup key with TPM
Configure TPM startup key and PIN: Allow startup key and PIN with TPM

Require additional authentication at startup (Windows Server 2008 and Windows Vista) Enabled
Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)
Settings for computers with a TPM:

Configure TPM startup key: Allow startup key with TPM
Configure TPM startup PIN: Allow startup PIN with TPM
Important: If you require the startup key, you must not allow the startup PIN.

If you require the startup PIN, you must not allow the startup key. Otherwise, a policy error occurs.
Note: Do not allow both startup PIN and startup key options to hide the advanced page on a computer with a TPM.

Windows Components/MDOP MBAM (BitLocker Management)/Client Management

Configure automatically resetting TPM lockouts Enabled
Configure MBAM services Enabled
MBAM Recovery service endpoint: https://bitlocker.careexchange.in:443/MBAMRecoveryAndHardwareService/CoreService.svc

Select BitLocker recovery information to store: Recovery password and key package
Enter client checking status frequency in (minutes): 90
Configure MBAM Status reporting service: Enabled
MBAM Status reporting service endpoint: https://bitlocker.careexchange.in:443/MBAMComplianceStatusService/StatusReportingService.svc
Enter status report frequency in (minutes): 720
Windows Components/MDOP MBAM (BitLocker Management)/Operating System Drive

Encryption Policy Enforcement Settings Enabled
Configure the number of noncompliance grace period days for operating system drives: 0
Operating system drive encryption settings Enabled
Allow BitLocker without a compatible TPM (requires a password) Disabled
Select protector for operating system drive:
Settings for computers with a TPM:
Configure minimum PIN length for startup 6

User Configuration (Disabled)

 

Default Recommended Group Policy for Laptops and Desktops –

Policies/Administrative Templates/Windows Components/BitLocker Drive Encryption/Operating System Drives
Disallow standard users from changing the PIN or password – Enabled
Require additional authentication at startup – Enabled

Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)
Settings for computers with a TPM:

Configure TPM startup: Do not allow TPM
Configure TPM startup PIN: Allow startup PIN with TPM
Configure TPM startup key: Do not allow startup key with TPM
Configure TPM startup key and PIN: Allow startup key and PIN with TPM

Require additional authentication at startup (Windows Server 2008 and Windows Vista) Enabled
Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)
Settings for computers with a TPM:

Configure TPM startup key: Allow startup key with TPM
Configure TPM startup PIN: Allow startup PIN with TPM
Important: If you require the startup key, you must not allow the startup PIN.

If you require the startup PIN, you must not allow the startup key. Otherwise, a policy error occurs.
Note: Do not allow both startup PIN and startup key options to hide the advanced page on a computer with a TPM.

Windows Components/MDOP MBAM (BitLocker Management)/Client Management

Configure automatically resetting TPM lockouts Enabled
Configure MBAM services Enabled
MBAM Recovery service endpoint: https://bitlocker.careexchange.in:443/MBAMRecoveryAndHardwareService/CoreService.svc

Select BitLocker recovery information to store: Recovery password and key package
Enter client checking status frequency in (minutes): 90
Configure MBAM Status reporting service: Enabled
MBAM Status reporting service endpoint: https://bitlocker.careexchange.in:443/MBAMComplianceStatusService/StatusReportingService.svc
Enter status report frequency in (minutes): 720
Windows Components/MDOP MBAM (BitLocker Management)/Operating System Drive

Encryption Policy Enforcement Settings Enabled
Configure the number of noncompliance grace period days for operating system drives: 0
Operating system drive encryption settings Enabled
Allow BitLocker without a compatible TPM (requires a password) Disabled
Select protector for operating system drive:
Settings for computers with a TPM:
Configure minimum PIN length for startup 6

User Configuration (Disabled)

About Satheshwaran Manoharan

Satheshwaran Manoharan is an Microsoft Office Server and Services MVP , Publisher of Azure365pro.com. Specialized in Office365 / Microsoft Exchange / Virtualization , Sathesh is an Messaging Expert supporting/Designing/Deploying many medium size businesses to large enterprises when it comes to Corporate messaging and Virtualization Infrastructure

Check Also

Windows 10 Engaged Restart Group Policy

Engaged Restart is a good feature . Where user desktop will not be force rebooted. ...

Leave a Reply

Your email address will not be published.