T520 - Win7 Ent - UEFI - GPO Enabled to allow Bitlocker enhanced pin, but windows refuses it

Before I start -- I'm not sure if this is a windows issue or a lenovo issue, but had to start somewhere.
I have installed our standard image of Windows 7 enterprise using Microsoft Deployment Toolkit on a new T520.  The drive is configured for and OS installed in UEFI mode.  Bitlocker is enabled automatically as part of my standard deployment task sequence, but with a numeric PIN.  We have a GPO in place that enables Bitlocker Enhanced PIN's, which can include alpha or symbol characters. Normally, after a deployment is complete, I go into control panel and change the bitlocker pin to a new pin which includes alpha, numeric, and symbol characters.  When I try to change the pin on this T520, it refuses, stating that it can only accept digits (numeric) 0-9.  
I've run into that error before if a laptop had not been placed in the correct OU, or the GPO's hadn't been applied to it for some other reason, but as best as I can tell that is not the case here.  I've run a group policy results report from the DC, and one from a command prompt on the affected pc using gpresult, and both say the Bitlocker Enhanced Pin GPO is enabled and applied.  
I have also just experienced this same issue on a Lenovo X220 Tablet.  We've only recently started seeing/using the UEFI mode on newer laptops, so up until now we've always installed windows in legacy BIOS mode.  As such, I decided to re-image the X220 forcing it to run in legacy bios mode.  After the re-install of windows, it accepted the enhanced bitlocker pin without issue.  I suspect if I reimage the T520 in legacy BIOS mode it will work as well, but have not yet tested this.  I was hoping to find a solution rather than simply working around the issue by not using UEFI.
I found the sections below in an article on technet regarding bitlocker with UEFI and enhanced pins, and what I understand from this is that it is fully supported by windows, but if the laptop doesn't support the full keyboard in the pre-boot environment, windows will refuse the enhanced pin and force a numeric only pin. 
Is this a problem with the laptop/UEFI version? Or with Windows? Or am I maybe just doing something wrong?  
Any help would be appreciated.  
http://technet.microsoft.com/en-us/library/ee449438(WS.10).aspx
PIN and enhanced PIN
For a higher level of security with the TPM, you can configure BitLocker with a personal identification number (PIN). The PIN is a user-created value that must be entered each time the computer starts or resumes from hibernation. The PIN can consist of 4 to 20 digits as specified by the Configure minimum PIN length for startup Group Policy setting and is stored internally as a 256-bit hash of the entered Unicode characters. This value is never displayed to the user. The PIN is used to provide another factor of authentication in conjunction with TPM authentication.
For an even higher level of security with the TPM, you can configure BitLocker to use enhanced PINs. Enhanced PINs are PINs that use the full keyboard character set in addition to the numeric set to allow for more possible PIN combinations and are between 4 and 20 characters in length. To use enhanced PINs, you must enable the Allow enhanced PINs for startup Group Policy setting before adding the PIN to the drive. By enabling this policy, all PINs created can utilize full keyboard characters.
NoteTo use enhanced PINs, your computer's BIOS must support using the full keyboard in the pre-boot environment. Users can run the optional system check during the BitLocker setup process to ensure the PIN can be entered correctly in the pre-boot environment. You should verify that the computers in your organization are compatible before making the use of enhanced PINs an organizational requirement. 
When setting a BitLocker PIN by using the BitLocker setup wizard, the Manage-bde command-line tool, or through Windows Management Instrumentation (WMI) remote administration, you can use the wide character set. However, system firmware, either BIOS or Unified Extensible Firmware Interface (UEFI), may only support a standard EN-US keyboard and keymap during system startup. Additionally, BIOS-based systems are limited to 7-bit ASCII input during PIN entry. Thus, the use of either non-English characters or keys that differ in position from the EN-US keymap, such as QWERTZ and AZERTY keyboards, may cause boot-time PIN entry to fail. If your computer is affected by this limitation, it should be identified during the system check run by the BitLocker setup wizard. If it is not identified during the system check and the PIN is not able to be entered, you will need to supply the recovery key to unlock the drive.
We recommend that users set their keyboard layout to EN-US during enhanced PIN entry to avoid PIN entry failure in the pre-boot environment. If you are unable to enter an enhanced PIN from your keyboard even after setting the keyboard layout to EN-US, you must use a numeric-only PIN.
The following list identifies characters that are not currently supported by system firmware:
Roman characters on keyboards with a non-EN-US keymap. For example, "Z" and "Y" on German keyboards and "Q" and "A" on French keyboards.
Characters that are not available in 7-bit ASCII. For example, characters with umlauts, grave accents, and tildes.
Symbols that are not available in 7-bit ASCII. For example, squared superscript, fractions, copyright, trademark, and international currency symbols.
<snip>
Yes. Starting with Windows Vista with SP1, BitLocker can be used with computers that use Unified Extensible Firmware Interface (UEFI)-based system firmware.
Will BitLocker work on computers that use UEFI-based system firmware?
Solved!
Go to Solution.

Very interesting!  I'm not sure if anyone has tried BitLocker with enhanced PIN on UEFI installation of Win7 64-bit.  Please give me a couple days to repro this and investigate.  Thanks for your patience.

Similar Messages

  • Windows 10 - wont enable bitlocker with AD but Windows 8 does

    Have you tried a clean install of 10 after the upgrade?  I wonder if it's a 10 issue or just related to the in-place upgrade.  

    Ok, 2008 R2 domain.
    Windows 8 systems, via GPO have it set that if they dont have a TPM, bitlocker still works. Password ID is configured to be stored in AD - works ( triple tested it just now)
    If I upgrade a Windows 8 system to Windows 10 that was never bitlockered, I cannot enable bitlocker, get error "there is no such object on the server" but it works for Windows 8 systems
    Any ideas?
    This topic first appeared in the Spiceworks Community

  • When i am enable the Allow Document Category Overrid Option getting error

    Hi All,
    when i am enable the Allow Document Category override option in payable option i am getting the following error.
    'FRM-40200 Field is protected against the update'. Ples help me it is very urgent.
    Regards,
    Raju.

    Hi Raju,
    Metalink note - 1364454.1 talks about the resolution.
    Thanks,
    PS.

  • Enabling Insert allowed for particualr records in a block,

    Hi All,
    I have a requirement to enable insert allowed(and delete allowed) button for only particular records(say for all records where column1=2) and for all other values that insert allowed button should be disabled.
    I tried setting the property
    SET_BLOCK_PROPERTY for insert allowed for my block, in new_block_instance.
    when i'm querying the first time with column1=2, its working fine.
    But, when im querying my blcok with column1=5 and then requerying the block with column1=2, im facing issue. insert allowed button is disabled here.
    Not sure, whether this can be achieved or not using this way. Please suggest me if there is any other ways we can do in oracle forms.
    Thanks & regards,
    Pavan Kumar

    I have used the below code in when new record instance at block level,
    IF event='INSERT'
    THEN
    IF :xxscp_gbl_exp_detail_v.order_type=5
         THEN
         SET_BLOCK_PROPERTY('XXSCP_GBL_EXP_DETAIL_V',
         insert_allowed,
         property_true);
    ELSE
    SET_BLOCK_PROPERTY('XXSCP_GBL_EXP_DETAIL_V',
         insert_allowed,
         property_false);
    END IF;
    END IF;
    as i already told, it work when i directly search with order_type=5.
    But not working, when i first search with order_type=1 and then with order type 5.
    Thanks in advance,
    pavan

  • Is there any guide lines how you can secure windows 7 gpo enable system services startup security settings?

    Is there any guide lines how you can secure windows 7 gpo enable system services startup security settings?
    For example like many do with Forefront Client Security Anti-Malware service, and there is lots of other service that you would like to have control over to get an secure and stable Windows 7.
    /SaiTech

    Hi, 
    Since there is no response from you, we considered that you have gotten what you want in previous post. 
    For further question, please don't hesitate to come back here and let's discuss again. 
    If you have any feedback on our support, please click here
    Kate Li
    TechNet Community Support

  • I tried to add my Planner Plus to my calendar and it gave me a message that says "This app does not have access to your calendars."  You can enable access in Privacy Settings.  But when I go to Privacy Seettings, there are no apps listed under Calendar.

    I am trying to access my calender in the app Planner Plus and I get the message. "This app does not have access to your calendars."  You can enable access in Privacy Settings.  But when I go to Privacy Settings, there are no apps listed under Calendar.  Anyone?

    Oh my gosh. This worked perfectly!!!
    After allowing the changes, I just had to open the apps again (such as Instagram), then the pop-up asking to allow access to Photos appeared!
    And I thought I was going to get rid of my iPhone 4 already because of the issue.

  • I have a MacBook Air with OS X and am having trouble accessing the ADT Pulse Home Security System cameras.  The mobile (iPhone and iPad) apps allow access no problem, but I can't get a picture on the MacBook.  Have tried Safari and Firefox browsers.

    I have a MacBook Air with OS X and am having trouble accessing the ADT Pulse Home Security System cameras.  The mobile (iPhone and iPad) apps allow access no problem, but I can't get a picture on the MacBook.  Have tried Safari and Firefox browsers.  Anyone have any ideas?  Thanks.

    From a Catherine to Katherine -- Had the exact same problem!!  I had to enable Java twice - both in Safari and then on the MacBookAir itself.

  • I have apple iPhone 4S upgraded to iOS 6.0.1 and everything was working fine suddenly my Wifi was not connecting and found the wifi on/off button is greyed out and to enable it I tried all resets but still my problem have not solved, still wifi is off

    I have apple iPhone 4S upgraded to iOS 6.0.1 and everything was working fine suddenly my Wifi was not connecting and found the wifi on/off button is greyed out and to enable it I tried all resets but still my problem have not solved, still wifi is off

    Same here.... No fix. Replacing is the option apparently and if you're out of warranty, you're SOL. That was as per the "Genius" at Apple.

  • New Pages no longer allows SECTIONS (in thumbnail view window) to be re-arranged like before?

    New Pages no longer allows SECTIONS (in thumbnail view window) to be re-arranged like before? You could drag and drop sections within your document the same way you could drag and drop pages in Preview's PDF documents. So how do you re-arrnage your document now?
    ALSO
    You used to be able to duplicate/copy a section/page by draging it with OPTION-LEFT-CLICK to a space below or above in the thumbnial window. The same way it works in PREVIEW in a PDF document. Did I miss something or is this also a bug?!
    These were extremely helpful to me and I hope many others. Can anyone help!?
    Thanks :-)

    Apple has removed over 90 features from Pages 5.
    http://www.freeforum101.com/iworktipsntrick/viewforum.php?f=22&sid=3527487677f0c 6fa05b6297cd00f8eb9&mforum=iworktipsntrick
    Pages '09 should still be in your Applications/iWork folder.
    Archive/trash Pages 5 and rate/review it in the App Store, then get back to work.
    Peter

  • I have problems syncing my new iPhone 5 to iTunes. I read somewhere to disable iPhotos and that has allowed me to sync but my photos are not on my iPhone. How can I fix this?

    I have problems syncing my new iPhone 5 to iTunes. I read somewhere to disable iPhotos and that has allowed me to sync but my photos are not on my iPhone. How can I fix this?

    Try updating to iPhoto 9.4.1. If it's not appearing in your Software Update yet, try updating using a .dmg installer downloaded from the following page on the Apple website: 
    iPhoto 9.4.1
    From the release notes for the new version:
    What's New in Version 9.4.1
    Improves the reliability of syncing to iOS devices via iTunes 
    Fixes an issue that could cause iPhoto to quit unexpectedly when using the Export command 
    Addresses an issue that could cause iPhoto to quit unexpectedly when upgrading multiple books, cards, and calendars 
    Resolves an issue with downloading and viewing photos synced from Facebook albums

  • HT5622 My apps are not updating as I have no longer access to my eariler apple Id and now I am using a new apple Id which is allowing to download  apps but while updating those apps my iPod wants eariler apple Id password to update what should I do ?

    My apps are not updating as I have no longer access to my eariler apple Id and now I am using a new apple Id which is allowing to download  apps but while updating those apps my iPod wants eariler apple Id password to update what should I do ?

    Hi Kanishk,
    Those apps are forever tied to the Apple ID they were purchased under. You can either delete them and re-purchase them, or you can go to Manage your Apple ID and reset the password on the old Apple ID so you can use it to update your apps: Apple - My Apple ID
    If you decide to continue to use them under the old ID password, I would suggest that when you reset that password, you change it to be the same password as the one you are currently using. That way when apps need to be updated you will only need to know one password and you won't have to be concerned with which Apple ID is displaying.
    Cheers,
    GB

  • How do I enable all sound files wav,MP3 on windows 7 64-bit change system sounds

    How do I enable all sound files wav,MP3 on windows 7 64-bit change system sounds it will only give me the option to choose wav?

    Windows 7 uses .wav (wave) files for the sound events. The default folder that Windows 7 uses to store the sound files in is located at C:\Windows\Media.
    You cannot use a MP3 file but there are lots of (WAV to MP3 converters) available on internet which can help you to convert MP3 to wav  serving your purpose of changing system sound. 
    //Click on Kudos and Accept as Solution if my reply was helpful and answered your question//
    I am an HP employee!!

  • I am unable to get Lightroom Mobile to work on my home network. The Ipad says "There are no collections to sync, enable lightroom mobile on your computer", but it is enabled.  I got it to work one time on another network but not at home where I use Lightr

    I am unable to get Lightroom Mobile to work on my home network. The Ipad says "There are no collections to sync, enable lightroom mobile on your computer", but it is enabled.  I got it to work one time on another network but not at home where I use Lightroom.

    Hi,
    could you please give us some info on what kind of network you have?
    Can other application communicate with the web?
    Thanks,
    Ignacio

  • What is the best USB powered portable 1TB hard drive for a macbook pro that allows Time machine to work, windows (thru Parallels software) and mac storage and is available in Australia?

    What is the best USB powered portable 1TB hard drive for a macbook pro that allows Time machine to work, windows (thru Parallels software) and mac storage and is available in Australia?

    I agree with teh OWC sggestion above, but why must it be USB powered? I find that far more unreliable, and the low power devices slow.
    I'd frankly get a good external enclosure and buy a bare drive.  But the OWC stuff is quite good - vastly better than some of the majors (WD being aprime example of stuff that's boderline quality and often not compatible)
    Grant

  • How to Force enable, silent updates for Adobe flash in windows 8

    How to Force enable updates, silently for Adobe flash in windows 8 using group policy?
    I have followed this Article:
    http://helpx.adobe.com/flash-player/kb/administration-configure-auto-update-notification.h tml
    http://gpyall.com/archives/disable-adobe-flash-updates-on-64-bit-windows-with-group-policy /
    This looks promising but not working.
    Also, I cannot even manually create a file, in Win 8  (C:\Windows\SysWOW64\Macromed\Flash)
    So how would group policy can put mms.cfg in this location with following vaule:
    AutoUpdateDisable=0
    SilentAutoUpdateEnable=1
    Thanks in Advance.

    You will find more information in http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/flashplayer/pdfs/flas h_player_11_7_admin_guide.pdf

Maybe you are looking for