Here is the situation and hopefully somebody can help...
One of the guys in IT created and MDT deployment on Laptops and Tablets (Specifically Surface Pro 3).
Unfortunately, I don't think he really though this through and relied on the Vendor's (Sophos) information.
Basically I have a Surface Pro 3 with the hard drive encrypted, using a TPM + PIN configuration.
In a normal Microsoft scenario, when deploying Windows, Bitlocker would trigger to save the Recovery Key onto AD. However, when using Sophos, it encrypts the drive using Bitlocker, but instead the recovery key gets saved on the Sophos Console.
As some of you have experienced, the surface pro 3 are prone to turn on while kept inside a bag, and the keyboard would get pressed (typing bad pins on preboot auth). This leads to the dreaded TPM lockout.
Normally, the recovery key would be needed in order to boot, and then once inside the system, you would unblock the TPM. Unfortunately, for some unknown reason, the recovery key is not working and I am unable to boot the machine.
So there is no other option, right?
Well, I am trying something but don't know if it will work. In Windows 8.1, there is a cmdlet called unblock-tpm that should unblock the TPM (resetting the anti hammering setting back to 0). We have the password and owner account, so in theory, it should
work. Once the TPM is unblocked again, by rebooting and using the PIN, the TPM should supply the key and be able to boot.
Unfortunately, I had no luck running this cmdlet from Windows PE. I assume it is an issue with the WMIs since the cmdlet tries to run but I get an error message.
Also, the Surface Pro 3 is very picky on which flash drive wants to boot from. So, while I am in the process of created a Windows to Go on a specific flash drive that should boot on the Surface, do you know of a documentation or if anybody has been able
to correctly run the unblock-tpm cmdlet from outside the operating system (let it be winPE or any of those PE disc that are going around)?