How to enable BitLocker PIN on startup on a Microsoft Surface Laptop 7

Question

How to enable BitLocker PIN on startup on a Microsoft Surface Laptop 7

BirendraN 0

I would be grateful if any MVPs could reply whose focus is on Security & BitLocker.

Issue

I have just purchased a Microsoft Surface Laptop 7 with Windows 11 Home installed. This is a traditional “clamshell” laptop i.e. it has a keyboard and screen.
I updated the OS by purchasing Windows Pro which is now done.
BitLocker is enabled
The issue I have is that I cannot setup BitLocker to mandate that a BitLocker PIN is required when the PC boots up.
I have set the appropriate GPO for BitLocker to set "Require Startup PIN with TPM" .
This then does give the option in Manage BitLocker to create a startup PIN.
But when I click that option, it fails with this error: "ERROR: An error occurred (code 0x803100b5): No pre-boot keyboard detected. The user may not be able to provide required input to unlock the volume."

My thoughts.

This is a traditional clam-shell laptop but my hypothesis is that Microsoft may treat it as a slate (tablet device). Indeed when running System Information I see "Platform Role Slate"
I have also come across in my research the BitLocker GPO “Enable use of Bitlocker authentication requiring preboot keyboard input on slates”
I am loathe to try that though because reading that GPO it clearly states that an alternative USB Keyboard would be required to provide the BitLocker PIN. I cannot assume that I would be able to use the keyboard on the Surface laptop itself, which is what I want of course.

Thanks

Steve 0 Reputation points

2025-04-07T16:30:58.9733333+00:00

I just worked through the same error code issue with a MS Surface Pro 11th edition.

In actual fact, if there is a keyboard it may work. On the model I had, there was even an onscreen keyboard available that worked when prompted for the PIN at boot.

The Bitlocker PIN can be enabled. Below is my experience. No warranties are offered and you configure at your own risk.

The warning is there when trying to set the PIN in case the device does not have an accessible keyboard one cannot enter the PIN to unlock the drive.

For the configuration and testing I attached an external USB keyboard for backup. I recommend if you attempt enabling you should have a USB keyboard attached in case the MS keyboard(s) do not work.

To proceed...

There is a group policy to enable "keyboard input on slates".

Start gpedit, go to:

Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives

Enable the policy: Enable use of BitLocker authentication requiring preboot keyboard input on slates

Ensure you enabled the PIN with TPM policy (as per the above post).

Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives

Double-click the "Require Additional Authentication at Startup" Option in the right pane.

Select "Enabled" at the top of the window here. Then, click the box under "Configure TPM Startup PIN" and select the "Require Startup PIN With TPM" option.

Click "OK" to save your changes.

Run manage-bde -protectors -add c: -TPMAndPIN

enter and confirm the PIN.

Reboot

If the MS Keyboard does not work (or there is no on screen keyboard), you should have the USB keyboard as backup. If necessary you can then use the USB keyboard to enter the PIN and revert the "Require Additional Authentication at Startup policy".