Q: Can I enter a BitLocker PIN on-screen on a Surface Pro 2?
A: The Surface Pro 2 doesn't support an on-screen keyboard during boot to enter a BitLocker PIN. However, because the device uses Windows 8.1 or Windows 8, it's common to not require the PIN because you can tie the user account lockout directly into the TPM such that if the user password is incorrect a certain number of times the machine will actually reboot and go into BitLocker recovery mode. The device is essentially locked until the recovery key is entered. This setting is enabled through Group Policy as follows:
- Open a Group Policy Object (GPO) that applies to the machines.
- Navigate to \Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options.
- Double-click Interactive logon: Machine account lockout threshold.
Set the desired number of failed logon attempts, as the figure below shows, and click OK.
- Close the Group Policy Editor.
Microsoft offers several good resources for BitLocker configuration on tablets. For more information, see the TechNet articles "Configuring BitLocker for Tablets" and "Prepare your organization for BitLocker: Planning and Policies."