I know there is a thread discussing the limitation of BitLocker PIN entry on keyboard-less tablets for Windows 7. I was hoping that the issue would be addressed in Windows 8 but I can confirm after requiring a BitLocker PIN on a Samsung Tablet there is no on-screen keyboard available and you can't enter the password without connecting a USB keyboard. This is a huge limitation of Windows 8 which is supposed to be a tablet friendly OS and will prevent us from allowing our users to use tablets in our environment. Test details: Samsung Slate 7 XE700T1A-A05US all drivers updated to latest version and BIOS updated to 09FW and UEFI enabled Windows 8 Consumer Preview Build 8250 It seems that MS has decided that this functionality is not important as there is a GPO mentioning that BitLocker can't use a on-screen keyboard: Enable the use of BitLocker authentication requiring preboot keyboard input on slates This policy setting allows users to enable authentication options that require user input from the pre-boot environment even if the platform indicates lack of pre-boot input capability. The Windows on-screen touch keyboard (such as used by slates) is not available in the pre-boot environment where BitLocker requires additional information such as a PIN or Password. It is recommended that administrators enable this policy only for devices that are verified to have an alternative means of pre-boot input (such as by attaching a USB keyboard). Note that if this option is not enabled, options in the "Require additional authentication at startup" policy may not be available on such devices. These options include: - Configure TPM startup PIN: Required/Allowed - Configure TPM startup key and PIN: Required/Allowed - Configure use of passwords for operating system drives.

Hi - What is the reason behind requiring preboot password on slates? Trying to understand the specific threat model you are addressing with that. Full disk encryption helps prevent exposing data at rest which this one will do as well. Preboot passwords does create a user experience challenges in slates. And only gets invoked while you go thru the boot flow (which is during a cold boot/Restart or hybernate). Slates with connected standby are less likely to be rebooted. So not sure what preboot passwords provide interms of real security value. What MSFT has done seems reasonable for slates and is comparable to iPad security (actually better given IT has more control over the device encryption and can be combined with secure boot goodness).

Since this is a Win8 Question, next time please post this is in Win8 Security Forums. http://social.technet.microsoft.com/Forums/en-US/w8itprosecurity/threads Answer to your question: This is not a limitation of Win8. The Options for touch-only devices are: TPM-only, startup key. The only other way is to attach a keyboard at boot to use TPM+PIN. A startup PIN on the tablet will only work if a USB keyboard is connected, as the PIN prompt occurs in a pre-OS mode and theres no access to the on-screen keyboard. Manoj Sehgal

This is a requirement for all our portable devices (notebooks now, slates in the future). We require our mobile users to have dual factor authentication to gain physical access to the notebook/slate, the BitLocker PIN and Windows password fulfills this requirement. Also the BL PIN is much more difficult to bruteforce attack compared to a Windows password. We also have disabled sleep via GPO and only support hibernate which forces the PIN to be used.

I understand the limitation, but don't agree with the choice that MS has made. It would be possible to add a onscreen keyboard to the BL PIN screen although I know it would not be easy. There are driver and language issues to work through but at least the driver issues could be avoided by MS publishing the requirements for the on-screen keyboard for hardware manufacturers. If the manufactures choose to support it then they would, more than likley, have an advantage in the corporate environment. The language issue could be worked through by either only supporting EN US keyboard or only allowing numeric only PINs. Tablets are cheap, small and light all those things add up to the system being more portable and also more susceptible to loss or theft. In our environment at least, we will be unable to adopt slate PC's due to our security requirements and the BL PIN limitation. Feel free to move this post into the Windows 8 forum.

MS works closely with Hardware manufacturers and it is up to Hardware manufacturers to provide on-screen keyboard layout in Pre-OS environment. Manoj Sehgal