Bitlocker Disable - How to - UEFI - SP4

Discussion in 'Microsoft Surface Pro 4' started by Third Lake, May 17, 2016.

  1. Third Lake

    Third Lake New Member

    Joined:
    May 17, 2016
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    My Device:
    SPro4
    I am building Surface Pro 4 machines for a business. Load the corporate image of Windows 10 Enterprise on the SP4. Image loads fine. Operating System looks fine. Run Windows Update. Updates install and system looks stable.

    Run "manage-bde -status" at a Command Prompt and it says "Used Space Only Encrypted" and "AES 128". This is before I add the machine to the domain.

    They are deploying Bitlocker to their machines with Active Directory Group Policy and MBAM. Their requirement for Bitlocker is 256 AES which is set with the Group Policy which works fine with all hardware except the Surface Pro. I understand that somehow encryption is enabled in the hardware. However the service desk has to decrypt every Surface Pro, add it to the domain, and then force the machine to encrypt to 256 AES which is their default.

    How can I turn off the default Bitlocker encryption on the Surface Pro 4 (or 3) and allow it to get its settings from GPO and encrypt to 256 AES? Please be as detailed as you care to. Thank you.
     
  2. jnjroach

    jnjroach Administrator Staff Member

    Joined:
    Nov 9, 2012
    Messages:
    7,095
    Likes Received:
    1,724
    Trophy Points:
    113
    Location:
    Seattle, WA USA
    My Device:
    Surface Book
    What tool are you using for deployment?

    FYI - MS provides a tool specifically for Surface Deployments here:

    Microsoft Surface Deployment Accelerator (Windows)
     
    leeshor likes this.
  3. Third Lake

    Third Lake New Member

    Joined:
    May 17, 2016
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    My Device:
    SPro4
    MDT 2013 Update 1. The image deploys fine.

    Any information about how to disable Bitlocker?
     
  4. jnjroach

    jnjroach Administrator Staff Member

    Joined:
    Nov 9, 2012
    Messages:
    7,095
    Likes Received:
    1,724
    Trophy Points:
    113
    Location:
    Seattle, WA USA
    My Device:
    Surface Book
    Refer to the link and tool as it addresses deployment scenarios like yours...
     
  5. Third Lake

    Third Lake New Member

    Joined:
    May 17, 2016
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    My Device:
    SPro4
    Really? That's your answer? The customer already has a deployment method and it works just fine. I read the entire URL and it contains nothing about disabling the default encryption. If you don't want to answer the question why don't you just say so instead of pointing me to the installation of a deployment accelerator. Seems like way overkill just to get one thing answered. I guess I will look elsewhere. Thanks for the information you did provide.
     
  6. leeshor

    leeshor Well-Known Member

    Joined:
    Jun 19, 2012
    Messages:
    5,071
    Likes Received:
    877
    Trophy Points:
    113
    Location:
    Norcross, GA
    My Device:
    SPro4
    You need to cool your jets. You're responding to one of the most knowledgeable people on this forum and a senior staff member at that. You want to get hot under the collar call Microsoft.

    If you haven't read the forum guidelines, this may be a good time.
     
  7. Third Lake

    Third Lake New Member

    Joined:
    May 17, 2016
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    My Device:
    SPro4
    My jets are cool. My opinion is that the answer was unhelpful. Thanks to Jeff for attempting an answer at least. Cheers.
     
  8. jnjroach

    jnjroach Administrator Staff Member

    Joined:
    Nov 9, 2012
    Messages:
    7,095
    Likes Received:
    1,724
    Trophy Points:
    113
    Location:
    Seattle, WA USA
    My Device:
    Surface Book
    I'm sorry you don't want to change the or adapt your customer's deployment method to accommodate the introduction of S0iX Enabled Devices. The tool itself has the methods to build and modify images that comply to corporate standards. Most Enterprise Base Images are still based on ACPI Standards and S3 Type Power Management.

    I had a customer who blew an entire deployment of Surface devices (200 IIRC) by forcing their corporate image (based originally on a HP Laptop).

    MDT 2013 doesn't support the UEFI Switches to accomplish what your are attempting to do.

    I also had to convince my own internal IT team to change their WDS deployments because the kept hosing our Surface Pro 3 devices. We have over 120 SP3, SP4 and SB devices deployed in our Consulting Company.
     
    eltos_lightfoot likes this.
  9. Third Lake

    Third Lake New Member

    Joined:
    May 17, 2016
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    My Device:
    SPro4
    It sounds like there is benefit to the Microsoft Surface Deployment Accelerator. I will explore it for my own personal skill improvement. Maybe the customer will provide a server where I can install it on or maybe I can find a technician workstation where I can install it on. What they/I was looking for was more of a quick answer to how to turn off the default encryption but if I have to install a Deployment Accelerator to find the answer to a specific question then so be it. I understand all about best practices.
    Thanks again for putting time into trying to answer my question. I do appreciate it.
     
  10. Aldec

    Aldec Member

    Joined:
    Feb 20, 2016
    Messages:
    44
    Likes Received:
    6
    Trophy Points:
    8
    My Device:
    SPro4
    If you are only trying to turn off encryption open All Settings....type bitlocker in "find a setting box"....this gives you the option.
     
  11. Third Lake

    Third Lake New Member

    Joined:
    May 17, 2016
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    My Device:
    SPro4
    That's a good tip; thanks for that. That is essentially what the service desk is doing now. I was trying to avoid having it happen in the first place and save a step.
    Is this encryption hardware based? The only relevant option I see in the Surface UEFI is to disable the TPM but I don't think we want to do that.
    I guess I will have to install the Solution Accelerator when I have time.
     

Share This Page

Search tags for this page

disable encryption surface pro 4

,

disable hardware encryption surface pro 4

,

disable uefi on surface pro bitlocker

,

disable uefi surface pro 4

,

how to turn off uefi password in group policy

,

surface pro4 turn off uefi

,

turn off bitlocker surface pro 4