Support for Microsoft Surface tablet devices with Drive Encryption 7.1.x - KB79624
There are currently some limitations with the Surface Pro 3 and MDE 7.1. Some of these should be resolved in the next patch. Once the patch has released the KB will be updated and more information regarding the specifics be available in the release notes.
Any specifics on what these limitations are? I ended up bricking two Pro 3's today. One does not have a policy that allows on screen keyboard, so I cant enter any login information. The other one will not load the OS after I get past the encryption
I encrypted one last week and another one yesterday.
Touching with fingers is not working, but the pen works. The type cover is working too, except its touchpad.
I enabled also the OSK because the old Surface 2 Type Cover sometimes typed weird stuff. The preboot USB support option is enabled too.
I switched the user to password (instead usb token) because DE often fails to detect it, then secure boot must be disabled and enabled again.
First I wanted to use MNE but it cannot activate Bitlocker because of a missing keyboard. Dont know why it wont accept the type cover.
mmjlz, i have the same experience with MNE 2.1.0 as you. It will not activate - if you have PIN/password as requirement in your policy - because of missing keyboard. I have sent McAfee a service request (read below) today regarding this, as i believe it should be possible to use MNE with a pin/password as the touch keyboard should be sufficient in preboot (Bitlocker). I think that McAfee actually states that it IS indeed supported McAfee KnowledgeBase - Support for Microsoft Surface tablet devices with Drive Encryption 7.1.x
Hello. We have issues activating bitlocker with MNE 2.1.0 on two Surface 3 Pro tablets. We deploy McAfee Agent and MNE 2.1.0 to the slates successfully, and set up a policy in ePO for MNE (we have 3-400 DE 7.1 clients so we know how this is done :)). The policy is set to active Bitlocker and require a PIN. When the policy hits the client, we are asked by the McAfee Agent to configure a PIN. When we set the PIN, Bitlocker fails to active with this error message: 'Bitlocker Activation Failed. Bitlocker activation failed because preboot authentication is required and no keyboard was detected by the operating system. Please contact your administrator for assistance'. We have configured the GPO (Enabled) mentioned here: http://blogs.technet.com/b/askpfeplat/archive/2014/07/14/bitlocker-pin-on-surfac e-pro-3-and-other-tablets.aspx If i remove the PIN requirement in the MNE Bitlocker policy, then the policy applies successfully. Please advise.
I will let you all know once they reply.
I think this must be a bug, with MNE 2.0.1 it activated successfully on the Surface Pro 3.
Thanks. Then i expect that they should be able to solve it asap.
Also, in my humble experience with DE and the Surface 3, i would strongly advise against putting DE encryption on the surface 3. These devices ship with Bitlocker, and even though DE encryption is more resilient and more scalable, the nature of the Surface 3 hardware actually limits most of the attacks that can be done to it. You cant (easily) remove hdd or memory to read from it. With this in mind, one could argue that Bitlocker encryption is enough for these devices, but of course if more than one person is using it you'd have to distribute the pin/password to more than one person...
" It will not activate - if you have PIN/password as requirement in your policy - because of missing keyboard. I have sent McAfee a service request (read below) today regarding this, as i believe it should be possible to use MNE with a pin/password as the touch keyboard should be sufficient in preboot (Bitlocker).
Please edit your BitLocker policy, and click the Advanced button in the top left.
Then check the option "
The MNE client software will then enable the GPO for you, so you don't have to do it in the domain, and your Surface Pro will activate without issue.
We advise you use this with caution, as using it on a system which really has no preboot input mechanism would leave you locked out as you would not be able to authenticate.
HTH, and if it does, please could you close the service request?
hehehe well hidden option thank you
but why does it think in 2.1.0 that it has no input device available, and with 2.0.1 it works nicely?...maybe 2.0.1 doesn't check for input devices....
Thanks dwebb! I will give it a go!