Surface Pro + Safeguard 8 - Missing or Invalid POA etc.

I think the issue you're seeing is that newer Surfaces are hardware encrypted, and as such are already encrypted out of the box. It would be easy to check the state of the client locally and see that it's encrypted - not perhaps realising that the recovery key isn't available on the console. 

I do have many Surfaces here though and they're all working well. The client is installed and reporting back to the console with the recovery key available. I'm also using V8.

We do disable PIN on these devices (although newer Surfaces do support pre-boot PIN entry now) and they're running the same config as others.

I would recommend a reboot on each affected client, then a manual sync and then see what appears in the console. You may also find that the console has no inventory for these clients either - a classic sign of the client not reporting back to the server. 

Keep me updated - Surfaces are and probably will continue to be a large part of my estate!

All the best

I think the issue you're seeing is that newer Surfaces are hardware encrypted, and as such are already encrypted out of the box. It would be easy to check the state of the client locally and see that it's encrypted - not perhaps realising that the recovery key isn't available on the console. 

I do have many Surfaces here though and they're all working well. The client is installed and reporting back to the console with the recovery key available. I'm also using V8.

We do disable PIN on these devices (although newer Surfaces do support pre-boot PIN entry now) and they're running the same config as others.

I would recommend a reboot on each affected client, then a manual sync and then see what appears in the console. You may also find that the console has no inventory for these clients either - a classic sign of the client not reporting back to the server. 

Keep me updated - Surfaces are and probably will continue to be a large part of my estate!

All the best

Thanks for the response Michael.

I guess I am confused as to what the process should be for Surfaces as opposed to vanilla desktops due to the hardware encryption. Do you guys have a different process for installing SGN on Surfaces vs. regular desktops? 

I use the same automated script/application we've developed but then I manually add them to an SG group that has a NO PIN requirement (as in TPM only)

All new Surfaces support pre-boot PIN but some other tablets/brands don't so I chose to class them all in the same camp for simplicity and consistency.

So you should be able to install the SG client in exactly the same way. If you're using AD there are some relevant GPO's to set too for tablets - do check they're set correctly too.

This article (although a little dated) may help?

https://blogs.technet.microsoft.com/askpfeplat/2014/07/13/bitlocker-pin-on-surface-pro-3-and-other-tablets/

When you say TPM only, are you referring to the Authentication policy setting for "BitLocker Logon Mode for Boot Volumes"? We have that set for TPM for all of our devices. 

Yes that's correct. It's recommended to have TPM+PIN but not all hardware will support this.

MichaelMcLannahan,

Would you be willing to share your installation script? 

Also, are you installing these with our without Challenge/Response?

Hello - We have an automated exe that bundles renaming computer, joining AD, installing SafeGuard and getting policy all in the one app.

It's written internally and has lots of hard coding in particular to us, so I'm afraid I couldn't share it.

We chose NOT to use C/R after some iffy experiences with it - mainly it installing on hardware that wasn't officially supported and then didn't quite work as expected?