Friday , January 19 2018

Startup Options on this PC are Configured Incorrectly – Bit locker

Enabling Bitlocker giving Error in Surface Pro Devices –

Error : The Startup Options on This PC are Configured incorrectly. Contact your System Administrator For More Information

image\

 

Solution –

Use of BitLocker authentication requiring preboot keyboard has to be enabled In Group Policy

Enable use of BitLocker authentication requiring preboot keyboard input on slates – Enabled

image

Default Recommended Group Policy for Surface Pro Devices –

Policies/Administrative Templates/Windows Components/BitLocker Drive Encryption/Operating System Drives
Disallow standard users from changing the PIN or password – Enabled
Enable use of BitLocker authentication requiring preboot keyboard input on slates – Enabled
Require additional authentication at startup – Enabled

Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)
Settings for computers with a TPM:

Configure TPM startup: Do not allow TPM
Configure TPM startup PIN: Allow startup PIN with TPM
Configure TPM startup key: Do not allow startup key with TPM
Configure TPM startup key and PIN: Allow startup key and PIN with TPM

Require additional authentication at startup (Windows Server 2008 and Windows Vista) Enabled
Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)
Settings for computers with a TPM:

Configure TPM startup key: Allow startup key with TPM
Configure TPM startup PIN: Allow startup PIN with TPM
Important: If you require the startup key, you must not allow the startup PIN.

If you require the startup PIN, you must not allow the startup key. Otherwise, a policy error occurs.
Note: Do not allow both startup PIN and startup key options to hide the advanced page on a computer with a TPM.

Windows Components/MDOP MBAM (BitLocker Management)/Client Management

Configure automatically resetting TPM lockouts Enabled
Configure MBAM services Enabled
MBAM Recovery service endpoint: https://bitlocker.careexchange.in:443/MBAMRecoveryAndHardwareService/CoreService.svc

Select BitLocker recovery information to store: Recovery password and key package
Enter client checking status frequency in (minutes): 90
Configure MBAM Status reporting service: Enabled
MBAM Status reporting service endpoint: https://bitlocker.careexchange.in:443/MBAMComplianceStatusService/StatusReportingService.svc
Enter status report frequency in (minutes): 720
Windows Components/MDOP MBAM (BitLocker Management)/Operating System Drive

Encryption Policy Enforcement Settings Enabled
Configure the number of noncompliance grace period days for operating system drives: 0
Operating system drive encryption settings Enabled
Allow BitLocker without a compatible TPM (requires a password) Disabled
Select protector for operating system drive:
Settings for computers with a TPM:
Configure minimum PIN length for startup 6

User Configuration (Disabled)

 

Default Recommended Group Policy for Laptops and Desktops –

Policies/Administrative Templates/Windows Components/BitLocker Drive Encryption/Operating System Drives
Disallow standard users from changing the PIN or password – Enabled
Require additional authentication at startup – Enabled

Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)
Settings for computers with a TPM:

Configure TPM startup: Do not allow TPM
Configure TPM startup PIN: Allow startup PIN with TPM
Configure TPM startup key: Do not allow startup key with TPM
Configure TPM startup key and PIN: Allow startup key and PIN with TPM

Require additional authentication at startup (Windows Server 2008 and Windows Vista) Enabled
Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)
Settings for computers with a TPM:

Configure TPM startup key: Allow startup key with TPM
Configure TPM startup PIN: Allow startup PIN with TPM
Important: If you require the startup key, you must not allow the startup PIN.

If you require the startup PIN, you must not allow the startup key. Otherwise, a policy error occurs.
Note: Do not allow both startup PIN and startup key options to hide the advanced page on a computer with a TPM.

Windows Components/MDOP MBAM (BitLocker Management)/Client Management

Configure automatically resetting TPM lockouts Enabled
Configure MBAM services Enabled
MBAM Recovery service endpoint: https://bitlocker.careexchange.in:443/MBAMRecoveryAndHardwareService/CoreService.svc

Select BitLocker recovery information to store: Recovery password and key package
Enter client checking status frequency in (minutes): 90
Configure MBAM Status reporting service: Enabled
MBAM Status reporting service endpoint: https://bitlocker.careexchange.in:443/MBAMComplianceStatusService/StatusReportingService.svc
Enter status report frequency in (minutes): 720
Windows Components/MDOP MBAM (BitLocker Management)/Operating System Drive

Encryption Policy Enforcement Settings Enabled
Configure the number of noncompliance grace period days for operating system drives: 0
Operating system drive encryption settings Enabled
Allow BitLocker without a compatible TPM (requires a password) Disabled
Select protector for operating system drive:
Settings for computers with a TPM:
Configure minimum PIN length for startup 6

User Configuration (Disabled)

About Satheshwaran Manoharan

Satheshwaran Manoharan is an Microsoft Exchange Server MVP , Publisher of CareExchange.in
Supporting/Deploying/Designing Microsoft Exchange for some years.
Extensive experience on Microsoft Technologies.

Check Also

The HTTP request was forbidden with client authentication scheme ‎’Negotiate‎’

Exchange Server 2016 Hybrid Server , Hybrid remote move Migration Error. Error: MigrationTransientException: The call ...

Leave a Reply

Your email address will not be published.