What's new

Bitlocker Disable - How to - UEFI - SP4

Third Lake

New Member
I am building Surface Pro 4 machines for a business. Load the corporate image of Windows 10 Enterprise on the SP4. Image loads fine. Operating System looks fine. Run Windows Update. Updates install and system looks stable.

Run "manage-bde -status" at a Command Prompt and it says "Used Space Only Encrypted" and "AES 128". This is before I add the machine to the domain.

They are deploying Bitlocker to their machines with Active Directory Group Policy and MBAM. Their requirement for Bitlocker is 256 AES which is set with the Group Policy which works fine with all hardware except the Surface Pro. I understand that somehow encryption is enabled in the hardware. However the service desk has to decrypt every Surface Pro, add it to the domain, and then force the machine to encrypt to 256 AES which is their default.

How can I turn off the default Bitlocker encryption on the Surface Pro 4 (or 3) and allow it to get its settings from GPO and encrypt to 256 AES? Please be as detailed as you care to. Thank you.
 

jnjroach

Administrator
Staff member
I am building Surface Pro 4 machines for a business. Load the corporate image of Windows 10 Enterprise on the SP4. Image loads fine. Operating System looks fine. Run Windows Update. Updates install and system looks stable.

Run "manage-bde -status" at a Command Prompt and it says "Used Space Only Encrypted" and "AES 128". This is before I add the machine to the domain.

They are deploying Bitlocker to their machines with Active Directory Group Policy and MBAM. Their requirement for Bitlocker is 256 AES which is set with the Group Policy which works fine with all hardware except the Surface Pro. I understand that somehow encryption is enabled in the hardware. However the service desk has to decrypt every Surface Pro, add it to the domain, and then force the machine to encrypt to 256 AES which is their default.

How can I turn off the default Bitlocker encryption on the Surface Pro 4 (or 3) and allow it to get its settings from GPO and encrypt to 256 AES? Please be as detailed as you care to. Thank you.
What tool are you using for deployment?

FYI - MS provides a tool specifically for Surface Deployments here:

Microsoft Surface Deployment Accelerator (Windows)
 
OP
T

Third Lake

New Member
Refer to the link and tool as it addresses deployment scenarios like yours...

Really? That's your answer? The customer already has a deployment method and it works just fine. I read the entire URL and it contains nothing about disabling the default encryption. If you don't want to answer the question why don't you just say so instead of pointing me to the installation of a deployment accelerator. Seems like way overkill just to get one thing answered. I guess I will look elsewhere. Thanks for the information you did provide.
 

leeshor

Well-Known Member
Really? That's your answer? The customer already has a deployment method and it works just fine. I read the entire URL and it contains nothing about disabling the default encryption. If you don't want to answer the question why don't you just say so instead of pointing me to the installation of a deployment accelerator. Seems like way overkill just to get one thing answered. I guess I will look elsewhere. Thanks for the information you did provide.
You need to cool your jets. You're responding to one of the most knowledgeable people on this forum and a senior staff member at that. You want to get hot under the collar call Microsoft.

If you haven't read the forum guidelines, this may be a good time.
 
OP
T

Third Lake

New Member
My jets are cool. My opinion is that the answer was unhelpful. Thanks to Jeff for attempting an answer at least. Cheers.
 

jnjroach

Administrator
Staff member
Really? That's your answer? The customer already has a deployment method and it works just fine. I read the entire URL and it contains nothing about disabling the default encryption. If you don't want to answer the question why don't you just say so instead of pointing me to the installation of a deployment accelerator. Seems like way overkill just to get one thing answered. I guess I will look elsewhere. Thanks for the information you did provide.
I'm sorry you don't want to change the or adapt your customer's deployment method to accommodate the introduction of S0iX Enabled Devices. The tool itself has the methods to build and modify images that comply to corporate standards. Most Enterprise Base Images are still based on ACPI Standards and S3 Type Power Management.

I had a customer who blew an entire deployment of Surface devices (200 IIRC) by forcing their corporate image (based originally on a HP Laptop).

MDT 2013 doesn't support the UEFI Switches to accomplish what your are attempting to do.

I also had to convince my own internal IT team to change their WDS deployments because the kept hosing our Surface Pro 3 devices. We have over 120 SP3, SP4 and SB devices deployed in our Consulting Company.
 
OP
T

Third Lake

New Member
It sounds like there is benefit to the Microsoft Surface Deployment Accelerator. I will explore it for my own personal skill improvement. Maybe the customer will provide a server where I can install it on or maybe I can find a technician workstation where I can install it on. What they/I was looking for was more of a quick answer to how to turn off the default encryption but if I have to install a Deployment Accelerator to find the answer to a specific question then so be it. I understand all about best practices.
Thanks again for putting time into trying to answer my question. I do appreciate it.
 

Aldec

Member
It sounds like there is benefit to the Microsoft Surface Deployment Accelerator. I will explore it for my own personal skill improvement. Maybe the customer will provide a server where I can install it on or maybe I can find a technician workstation where I can install it on. What they/I was looking for was more of a quick answer to how to turn off the default encryption but if I have to install a Deployment Accelerator to find the answer to a specific question then so be it. I understand all about best practices.
Thanks again for putting time into trying to answer my question. I do appreciate it.
If you are only trying to turn off encryption open All Settings....type bitlocker in "find a setting box"....this gives you the option.
 
OP
T

Third Lake

New Member
That's a good tip; thanks for that. That is essentially what the service desk is doing now. I was trying to avoid having it happen in the first place and save a step.
Is this encryption hardware based? The only relevant option I see in the Surface UEFI is to disable the TPM but I don't think we want to do that.
I guess I will have to install the Solution Accelerator when I have time.
 
Top