Bitlocker Error Code 0x803100b5 No Pre-Boot Keyboard Detected

OMG! I spent hours trying to solve Bitlocker Error Code 0x803100b5 No Pre-Boot Keyboard Detected.  The user may not be able to provide required input to unlock the volume.  I just had to post for future reference as I will surely forget this in a months time.

I have been enabling Bitlocker encryption for pre-boot authentication on Surface Pro 3; I’ve done quite a few machines and the process for it has always worked until now.  For instructions on Bitlocker encryption for pre-boot authentication on Surface Pro 3 see my other post https://maaadit.wordpress.com/2015/09/03/windows-8-bitlocker-pre-boot-authentication/

So I received a Surface Pro 3 to configure and prior to handing it out to the user I attempt to enable Bitlocker encryption.  I go back to my original post linked above and change the proper Local Group settings:

Require additional authentication at startup.

Enable use of Bitlocker authentication requiring preboot keyboard input on slate

Same old Same Old, whistling while you work…and when I go to Turn On Bitlocker it does not prompt me for the PIN.  I try every which way and nothing.  So I go to the command prompt.  You have to choose to Run as Administrator by the way.  So I issue the Manage-bde -status command and TPM is listed in there for Drive C: but no TPMandPIN.  So I issue the command Manage-bde -protectors -add C: -TPMandPIN, you know, to encrypt requiring the use of a PIN on boot.  And that is when I see Bitlocker Error Code 0x803100b5 No Pre-Boot Keyboard Detected.  The user may not be able to provide required input to unlock the volume. 

I mess with the Local Group policy and reboot the machines countless number of times.  I was still able to Turn On Bitlocker but it would go on to encrypt the drive without prompting me to enter the PIN; booting the device also did not prompt for a PIN at startup.  Everything I searched online came back to the same two settings in Local Group Policy that had already been configured:

Require additional authentication at startup.

Enable use of Bitlocker authentication requiring preboot keyboard input on slate

In searching for Error Code 0x803100b5 No Pre-Boot Keyboard Detected I came across this seemingly unrelated link and the fourth bullet caught my attention.

  • BitLocker is not turned on (required for MNE to activate).

  • TPM configuration completed.

  • The group policy correctly matches the MNE password complexity policy.

  • Running the Windows gpupdate /force does not resolve the problem.

This is a domain joined Surface Pro I’m working on; so I issued the gpupdate /force command and … The processing of Group Policy failed because of lack of network connectivity to a Domain Controller...blah, blah, etc; although I had rebooted the machine a few times, it was not talking to the Domain Controller because I had it pointing to another DNS. Anyhow, I change the DNS and issue the gpupdate /force command again and bam Computer Policy update has completed successfully.  Then I issue the Manage-bde -protectors -add C: -TPMandPIN and bam Key Protectors Added: TPM And PIN: <Uses Secure Boot for integrity validation>.

I reboot the machine and get a few weird Bitlocker not enabled errors probably due to the fact that I did not Turn On Bitlocker prior to issuing the Manage-bde -protectors -add C: -TPMandPIN command.  So I go and Turn on Bitlocker by right-clicking on the C: and immediately get prompted to enter my PIN after which I save the Recovery Key to a USB drive and BitLocker Drive Encryption starts Encrypting…hahaha.  In your face Surface Pro Bitlocker Error Code 0x803100b5 No Pre-Boot Keyboard Detected!

#0x803100b5, #0x803100b5-no-pre-boot-keyboard-detected, #bitlocker, #bitlocker-0x803100b5-no-pre-boot-keyboard-detected, #bitlocker-drive-encryption, #bitlocker-pin, #bitlocker-preboot, #bitlocker-system-drive, #no-pre-boot-keyboard-detected, #surface-pro

BitLocker – Too Many Pin Entry Attempts – Enter the Recovery Key to Get Going Again – Reset TPM Lockout

On system drives that have been encrypted with Bitlocker to enable pre-boot authentication, users may at one time or another find themselves locked out from the computer.  If too may pin entry attempts are made by the user, an administrator will have to enter the recovery key to get it going again.  Additionally, the administrator will have to reset TPM Lockout; otherwise, the user will continue to be prompted with the message: Too Many Pin Entry Attempts.  Subsequently, you will have to enter the recovery key in order to complete the boot process until TPM Lockout has been reset.

When using Bitlocker preboot authentication on a Windows 8 machine, it is very important for the Recovery Key to be saved to a safe place, preferably, a central repository where administration can have access to all Recovery Keys when needed (and they eventually will).  BitLocker gives you several options to saving the Recovery Key when enabling pre-boot authentication for a system drive.

Sometimes a user will enter the proper BitLocker PIN at boot but find themselves with a message stating ” Too Many Pin Entry Attempts”.  If you see this message you will need to reset TPM Lockout once you are logged in to the system.  To log in to the system you will have to enter the BitLocker Recovery Key that was saved when encrypting the system drive.  Once you have located the Recovery Key and have gained access to the system, right click on the C: drive and select Manage BitLocker.  On the Drive Encryption Window, on the bottom left hand corner click on TPM Administration.  In the Trusted Platform Module (TPM) Management on Local Computer window click on Reset TPM Lockout.

The system will again display Enter the PIN to unlock this drive and will accept the BitLocker PIN at boot.

#bitlocker, #bitlocker-drive-encryption, #bitlocker-pin, #bitlocker-preboot, #bitlocker-system-drive, #encryption, #enter-the-pin-to-unlock-this-drive, #enter-the-recovery-key-to-get-going-again, #reset-tpm-lockout, #too-many-pin-entry-attempts