Enabling Bitlocker giving Error in Surface Pro Devices –
Error : The Startup Options on This PC are Configured incorrectly. Contact your System Administrator For More Information
\
Solution –
Use of BitLocker authentication requiring preboot keyboard has to be enabled In Group Policy
Enable use of BitLocker authentication requiring preboot keyboard input on slates – Enabled
Default Recommended Group Policy for Surface Pro Devices –
Policies/Administrative Templates/Windows Components/BitLocker Drive Encryption/Operating System Drives
Disallow standard users from changing the PIN or password – Enabled
Enable use of BitLocker authentication requiring preboot keyboard input on slates – Enabled
Require additional authentication at startup – Enabled
Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)
Settings for computers with a TPM:
Configure TPM startup: Do not allow TPM
Configure TPM startup PIN: Allow startup PIN with TPM
Configure TPM startup key: Do not allow startup key with TPM
Configure TPM startup key and PIN: Allow startup key and PIN with TPM
Require additional authentication at startup (Windows Server 2008 and Windows Vista) Enabled
Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)
Settings for computers with a TPM:
Configure TPM startup key: Allow startup key with TPM
Configure TPM startup PIN: Allow startup PIN with TPM
Important: If you require the startup key, you must not allow the startup PIN.
If you require the startup PIN, you must not allow the startup key. Otherwise, a policy error occurs.
Note: Do not allow both startup PIN and startup key options to hide the advanced page on a computer with a TPM.
Windows Components/MDOP MBAM (BitLocker Management)/Client Management
Configure automatically resetting TPM lockouts Enabled
Configure MBAM services Enabled
MBAM Recovery service endpoint: https://bitlocker.careexchange.in:443/MBAMRecoveryAndHardwareService/CoreService.svc
Select BitLocker recovery information to store: Recovery password and key package
Enter client checking status frequency in (minutes): 90
Configure MBAM Status reporting service: Enabled
MBAM Status reporting service endpoint: https://bitlocker.careexchange.in:443/MBAMComplianceStatusService/StatusReportingService.svc
Enter status report frequency in (minutes): 720
Windows Components/MDOP MBAM (BitLocker Management)/Operating System Drive
Encryption Policy Enforcement Settings Enabled
Configure the number of noncompliance grace period days for operating system drives: 0
Operating system drive encryption settings Enabled
Allow BitLocker without a compatible TPM (requires a password) Disabled
Select protector for operating system drive:
Settings for computers with a TPM:
Configure minimum PIN length for startup 6
User Configuration (Disabled)
Default Recommended Group Policy for Laptops and Desktops –
Policies/Administrative Templates/Windows Components/BitLocker Drive Encryption/Operating System Drives
Disallow standard users from changing the PIN or password – Enabled
Require additional authentication at startup – Enabled
Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)
Settings for computers with a TPM:
Configure TPM startup: Do not allow TPM
Configure TPM startup PIN: Allow startup PIN with TPM
Configure TPM startup key: Do not allow startup key with TPM
Configure TPM startup key and PIN: Allow startup key and PIN with TPM
Require additional authentication at startup (Windows Server 2008 and Windows Vista) Enabled
Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)
Settings for computers with a TPM:
Configure TPM startup key: Allow startup key with TPM
Configure TPM startup PIN: Allow startup PIN with TPM
Important: If you require the startup key, you must not allow the startup PIN.
If you require the startup PIN, you must not allow the startup key. Otherwise, a policy error occurs.
Note: Do not allow both startup PIN and startup key options to hide the advanced page on a computer with a TPM.
Windows Components/MDOP MBAM (BitLocker Management)/Client Management
Configure automatically resetting TPM lockouts Enabled
Configure MBAM services Enabled
MBAM Recovery service endpoint: https://bitlocker.careexchange.in:443/MBAMRecoveryAndHardwareService/CoreService.svc
Select BitLocker recovery information to store: Recovery password and key package
Enter client checking status frequency in (minutes): 90
Configure MBAM Status reporting service: Enabled
MBAM Status reporting service endpoint: https://bitlocker.careexchange.in:443/MBAMComplianceStatusService/StatusReportingService.svc
Enter status report frequency in (minutes): 720
Windows Components/MDOP MBAM (BitLocker Management)/Operating System Drive
Encryption Policy Enforcement Settings Enabled
Configure the number of noncompliance grace period days for operating system drives: 0
Operating system drive encryption settings Enabled
Allow BitLocker without a compatible TPM (requires a password) Disabled
Select protector for operating system drive:
Settings for computers with a TPM:
Configure minimum PIN length for startup 6
User Configuration (Disabled)
Here is the solution I found when this did not work
run gpedit
Local computer policy> computer configuration > administrative templates > Windows Components > bitlocker drive encryption > Operating system drives
Require additional authentication at startup
Enable
Thank you for your feedback
Hi Satheshwaran,
When this policy is applied from Intune it is not getting applied on a Dell Optiplex 7000 desktop. So, should we enable this like locally on a machine? I am kind of confused. When I tried to apply this to Intune the protection status is OFF and when I tried to enable it manually on the desktop, I got the error that you are showing. I tried to add these setting locally in the group policy it enabled it. So, is this the only way to do it for desktops?