What's new

Bitlocker Disable - How to - UEFI - SP4

T

Third Lake

New Member
I am building Surface Pro 4 machines for a business. Load the corporate image of Windows 10 Enterprise on the SP4. Image loads fine. Operating System looks fine. Run Windows Update. Updates install and system looks stable.

Run "manage-bde -status" at a Command Prompt and it says "Used Space Only Encrypted" and "AES 128". This is before I add the machine to the domain.

They are deploying Bitlocker to their machines with Active Directory Group Policy and MBAM. Their requirement for Bitlocker is 256 AES which is set with the Group Policy which works fine with all hardware except the Surface Pro. I understand that somehow encryption is enabled in the hardware. However the service desk has to decrypt every Surface Pro, add it to the domain, and then force the machine to encrypt to 256 AES which is their default.

How can I turn off the default Bitlocker encryption on the Surface Pro 4 (or 3) and allow it to get its settings from GPO and encrypt to 256 AES? Please be as detailed as you care to. Thank you.
 
Third Lake said:
I am building Surface Pro 4 machines for a business. Load the corporate image of Windows 10 Enterprise on the SP4. Image loads fine. Operating System looks fine. Run Windows Update. Updates install and system looks stable.

Run "manage-bde -status" at a Command Prompt and it says "Used Space Only Encrypted" and "AES 128". This is before I add the machine to the domain.

They are deploying Bitlocker to their machines with Active Directory Group Policy and MBAM. Their requirement for Bitlocker is 256 AES which is set with the Group Policy which works fine with all hardware except the Surface Pro. I understand that somehow encryption is enabled in the hardware. However the service desk has to decrypt every Surface Pro, add it to the domain, and then force the machine to encrypt to 256 AES which is their default.

How can I turn off the default Bitlocker encryption on the Surface Pro 4 (or 3) and allow it to get its settings from GPO and encrypt to 256 AES? Please be as detailed as you care to. Thank you.
Click to expand...
What tool are you using for deployment?

FYI - MS provides a tool specifically for Surface Deployments here:

Microsoft Surface Deployment Accelerator (Windows)
 
jnjroach said:
Refer to the link and tool as it addresses deployment scenarios like yours...
Click to expand...

Really? That's your answer? The customer already has a deployment method and it works just fine. I read the entire URL and it contains nothing about disabling the default encryption. If you don't want to answer the question why don't you just say so instead of pointing me to the installation of a deployment accelerator. Seems like way overkill just to get one thing answered. I guess I will look elsewhere. Thanks for the information you did provide.
 
Third Lake said:
Really? That's your answer? The customer already has a deployment method and it works just fine. I read the entire URL and it contains nothing about disabling the default encryption. If you don't want to answer the question why don't you just say so instead of pointing me to the installation of a deployment accelerator. Seems like way overkill just to get one thing answered. I guess I will look elsewhere. Thanks for the information you did provide.
Click to expand...
You need to cool your jets. You're responding to one of the most knowledgeable people on this forum and a senior staff member at that. You want to get hot under the collar call Microsoft.

If you haven't read the forum guidelines, this may be a good time.
 
My jets are cool. My opinion is that the answer was unhelpful. Thanks to Jeff for attempting an answer at least. Cheers.
 
Third Lake said:
Really? That's your answer? The customer already has a deployment method and it works just fine. I read the entire URL and it contains nothing about disabling the default encryption. If you don't want to answer the question why don't you just say so instead of pointing me to the installation of a deployment accelerator. Seems like way overkill just to get one thing answered. I guess I will look elsewhere. Thanks for the information you did provide.
Click to expand...
I'm sorry you don't want to change the or adapt your customer's deployment method to accommodate the introduction of S0iX Enabled Devices. The tool itself has the methods to build and modify images that comply to corporate standards. Most Enterprise Base Images are still based on ACPI Standards and S3 Type Power Management.

I had a customer who blew an entire deployment of Surface devices (200 IIRC) by forcing their corporate image (based originally on a HP Laptop).

MDT 2013 doesn't support the UEFI Switches to accomplish what your are attempting to do.

I also had to convince my own internal IT team to change their WDS deployments because the kept hosing our Surface Pro 3 devices. We have over 120 SP3, SP4 and SB devices deployed in our Consulting Company.
 
It sounds like there is benefit to the Microsoft Surface Deployment Accelerator. I will explore it for my own personal skill improvement. Maybe the customer will provide a server where I can install it on or maybe I can find a technician workstation where I can install it on. What they/I was looking for was more of a quick answer to how to turn off the default encryption but if I have to install a Deployment Accelerator to find the answer to a specific question then so be it. I understand all about best practices.
Thanks again for putting time into trying to answer my question. I do appreciate it.
 
Third Lake said:
It sounds like there is benefit to the Microsoft Surface Deployment Accelerator. I will explore it for my own personal skill improvement. Maybe the customer will provide a server where I can install it on or maybe I can find a technician workstation where I can install it on. What they/I was looking for was more of a quick answer to how to turn off the default encryption but if I have to install a Deployment Accelerator to find the answer to a specific question then so be it. I understand all about best practices.
Thanks again for putting time into trying to answer my question. I do appreciate it.
Click to expand...
If you are only trying to turn off encryption open All Settings....type bitlocker in "find a setting box"....this gives you the option.
 
That's a good tip; thanks for that. That is essentially what the service desk is doing now. I was trying to avoid having it happen in the first place and save a step.
Is this encryption hardware based? The only relevant option I see in the Surface UEFI is to disable the TPM but I don't think we want to do that.
I guess I will have to install the Solution Accelerator when I have time.
 
You must log in or register to reply here.

Similar threads

P
Not Able to Enable Hardware Based Bitlocker Encryption On Surface Pro 4 (Windows 10 Pro)
Replies
1
Views
4K
phillyphotogmagee
P
S
Windows Hello on corporate Domain
Replies
1
Views
6K
jnjroach
jnjroach
G
Clean Install of Windows 8.1 on SP3
Replies
9
Views
17K
Deryl McCarty
Deryl McCarty
A
Win 10 and Office 365/Outlook 2016 Exchange Issues
Replies
3
Views
5K
sharpuser
sharpuser
Bandito
New SP3 Problem - Group Policy Client Failed to Start
Replies
9
Views
6K
Bandito
Bandito

Latest posts

Back
Top