Windows Devices Not Working, Diagnosed and Fixed (2026 Guide)
Why Windows Devices Not Working During Deployment or After Updates
Picture this: you're an IT admin rolling out a fresh Windows image across a batch of Surface devices. You've done this a hundred times. MDT is configured, the task sequence is solid, and then, one machine bricks halfway through. The bdd.log file spits out something like "Disk(0) was not found. Unable to continue." and the deployment just stops dead. Or maybe it's a different scenario, you pushed a routine UEFI firmware update overnight, came in the next morning, and now half your Surface fleet is sitting at a BitLocker recovery screen, stuck in an infinite reboot loop. Neither situation is fun. Both are fixable.
I've seen both of these scenarios more times than I'd like to admit, and the frustrating part is that Windows' own error messages are nearly useless at pointing you toward the real cause. "Missing Storage Driver." "Disk OSDDiskIndex(0) can not be found." These messages sound like hardware failures. They're not. They're a configuration mismatch, one that Microsoft has documented, but buries under KB numbers that most admins never stumble on until they're already in the weeds.
So why does this happen? There are two distinct root causes at play in modern Surface deployments, and they sometimes overlap in ways that make diagnosis even harder.
Root Cause #1, Storage Spaces and the phantom Disk0. Certain Surface devices with a 1-TB storage configuration don't actually use a single 1-TB SSD. Instead, they use Microsoft's Storage Spaces technology to stitch two 512-GB SSDs together into one virtual drive. The problem is that Storage Spaces drives are virtual, meaning the operating system lists them after the physical drives in the disk enumeration order. So when your MDT task sequence targets Disk0, the way it always has, it finds the physical drives first and the virtual storage volume ends up at Disk2 or Disk3. Windows Devices Not Working in this way is entirely a software enumeration issue, not a driver problem, not a hardware failure.
Root Cause #2, BitLocker PCR misconfiguration and firmware updates. On Surface devices where BitLocker is active, a firmware update to the UEFI or the Trusted Platform Module (TPM) changes the cryptographic signature that BitLocker uses to verify boot integrity. Normally this is fine, BitLocker is designed to tolerate small changes like this. The problem only surfaces (no pun intended) when BitLocker isn't binding to the default Platform Configuration Registers (PCR 7 and PCR 11). If someone has manually defined PCR values through Group Policy, or if Secure Boot has been turned off, then a firmware update that would ordinarily be transparent instead looks like a tampered boot environment. BitLocker panics, demands the recovery key, and when the recovery key doesn't solve the loop, it doesn't, because the real issue is the PCR binding, the device keeps rebooting.
Both problems affect real enterprise environments running real Surface hardware. The affected device list is specific, and knowing whether your machine is on it saves hours of pointless driver hunting. Browse all Microsoft fix guides →
The Quick Fix, Try This First When Windows Devices Not Working
Before you spend two hours rebuilding your MDT task sequence or calling Microsoft Support, run through this quick diagnostic to identify which of the two root causes you're dealing with. The fix for each is fast once you know which path you're on.
If your Windows device not working symptom is a failed MDT deployment with a Disk0 error:
Check your device model and storage size first. Open the Surface's UEFI settings (hold Volume Up and press the Power button), navigate to the device information screen, and look at the storage configuration. If you're on a Surface Pro (5th Gen) 1-TB, Surface Laptop (1st Gen) 1-TB, Surface Pro 6 1-TB, or Surface Laptop 2 1-TB, you're almost certainly hitting the Storage Spaces disk enumeration issue. Your fix is a single change in MDT: swap the disk target from Disk 0 to Disk 2 in your "Format and Partition Disk (UEFI)" task sequence step. If an SD card is inserted in the device, bump that to Disk 3 instead. That's it. No driver updates needed, no imaging changes, no hardware replacements.
If your Windows device not working symptom is a BitLocker recovery prompt after a firmware update:
Don't keep entering the recovery key, it won't fix the loop. Open an elevated PowerShell session on a working machine and suspend BitLocker on the affected drive first. The command is:
Suspend-BitLocker -MountPoint "C:" -RebootCount 0The -RebootCount 0 parameter is important, it keeps BitLocker suspended through multiple reboots, which matters because UEFI and TPM firmware updates often require two or three restarts to complete. Once the firmware installation is fully done and the device is booting normally, resume protection with:
Resume-BitLocker -MountPoint "C:"If the device is already in the reboot loop and you can't get to a command prompt, you'll need to boot into Windows Recovery Environment (WinRE) first. Hold Shift while clicking Restart from the login screen, or boot from a USB recovery drive, then open Command Prompt from the advanced options. From there the same PowerShell cmdlets will work.
Not every 1-TB Surface device has this issue, so start by confirming you're dealing with an affected model. The distinction matters because treating an unaffected device like an affected one, or vice versa, will break your deployment for different reasons.
Devices confirmed to use Storage Spaces (dual 512-GB SSD), AFFECTED by the Disk0 issue:
- Surface Pro (5th Gen), 1-TB configuration
- Surface Laptop (1st Gen), 1-TB configuration
- Surface Pro 6, 1-TB configuration
- Surface Laptop 2, 1-TB configuration
Devices that use a single SSD in their 1-TB configuration, NOT affected:
- Surface Pro 4
- Surface Book
- Surface Book 2
- Surface Studio 2
- Surface Pro 7
- Surface Laptop 3
You can also confirm the dual-drive Storage Spaces configuration from within Windows. Open Disk Management (right-click the Start button, select Disk Management) on a working machine of the same model. If you see physical Disk0 and Disk1 listed as 512-GB drives alongside a Storage Spaces virtual volume, you're dealing with an affected configuration. The virtual drive will appear after the physical ones in the list, that ordering is exactly what breaks MDT's Disk0 target.
You can verify this in PowerShell as well:
Get-Disk | Select-Object Number, FriendlyName, Size, PartitionStyleIf you see three disks listed (two 512-GB physical drives plus the virtual Storage Spaces volume), the deployment task sequence absolutely needs to target Disk2, not Disk0. If you only see one disk, you have a single-SSD configuration and this particular fix doesn't apply to you, look further down this guide for other causes.
Once you've confirmed you're dealing with a Storage Spaces dual-SSD Surface device, this step is your primary fix. The change itself is minor, one number in one field, but the implications are significant enough that you need to pay close attention to how you structure your deployment going forward.
Open the Microsoft Deployment Toolkit console and navigate to your task sequence. Find the step titled "Format and Partition Disk (UEFI)". In the properties of that step, look for the disk number field. It will almost certainly be set to 0 by default. Change it to 2.
If your Surface devices have an SD card inserted during deployment, which can happen in enterprise environments where SD cards are used for storage expansion or imaging media, change the disk number to 3 instead, because the SD card takes a disk enumeration slot ahead of the Storage Spaces virtual volume.
Critical caveat: Once you make this change, this task sequence becomes device-specific. A task sequence targeting Disk2 will not work correctly on standard devices that don't use Storage Spaces, on those machines, Disk2 may not exist, or may point to an external drive or recovery partition. You'll need to maintain a separate task sequence for affected Storage Spaces devices versus your standard deployment sequence for everything else.
After saving the change, run a test deployment on one affected device. Watch the bdd.log file in real time if you can, you can tail it during deployment or review it at C:\Windows\Temp\DeploymentLogs\bdd.log after the fact. A successful run through the disk partitioning phase will no longer show the FAILURE ( 7711 ) error. Instead, you'll see the disk partitioning completing and the sequence moving on to the OS application phase.
REM In your MDT CustomSettings.ini you can also add:
OSDDiskIndex=2This forces the disk index at the rules level rather than the task sequence step level, which gives you a bit more flexibility if you use dynamic variables in your deployment configuration.
This step is something most admins skip entirely, until it bites them. Before you ever push a UEFI or TPM firmware update to a BitLocker-protected Surface device, spend 60 seconds confirming which Platform Configuration Registers BitLocker is currently bound to. This one check tells you exactly how much risk you're carrying.
Open an elevated command prompt (right-click Command Prompt, select "Run as administrator") and run:
manage-bde.exe -protectors -get C:Replace C: with whatever drive letter your OS volume is assigned to. Look for the output section labeled TPM And PIN or TPM under the protectors list. You'll see a line that reads something like:
PCR Validation Profile:
7, 11If you see PCR 7 and PCR 11 listed, and only those two, you're in the safe default configuration. BitLocker is using the correct registers and a firmware update will, in most cases, be transparent. The device will prompt for BitLocker temporarily but should recover on its own after the firmware settles.
If you see different PCR values, say, 0, 2, 4, 8, or any combination that doesn't include PCR 7 and PCR 11 as the sole members, stop. Do not push the firmware update yet. Your BitLocker configuration has been customized, either by Group Policy, a previous admin, or a security baseline. Pushing a UEFI or TPM firmware update in this state is what causes the infinite reboot loop.
PCR 7 is specifically tied to Secure Boot state. On Surface devices that support Connected Standby (also known as InstantGO or Always On, Always Connected), BitLocker defaults to binding PCR 7 and PCR 11 when Secure Boot is correctly configured. If Secure Boot is off, or if Group Policy has explicitly overridden the PCR selection, you lose that safety net.
Make note of what you find. If the PCR profile is non-default, proceed to Step 4 before doing anything else.
I know this is frustrating, especially in enterprise environments where BitLocker is mandatory policy and "suspending" it feels like a security violation. But here's the reality: temporarily suspending BitLocker for a firmware update cycle is the official, documented Microsoft recommendation. It does not decrypt your drive. It does not remove the BitLocker keys. It simply tells BitLocker to hold off on measuring the boot environment for a defined number of reboots. Your data stays encrypted the entire time.
Open an administrative PowerShell session and run:
Suspend-BitLocker -MountPoint "C:" -RebootCount 0The -RebootCount 0 parameter is the key detail here. A value of 0 means BitLocker stays suspended indefinitely, across as many reboots as the firmware update requires, until you manually resume it. This matters because UEFI firmware updates and TPM firmware updates (including the Surface dTPM IFX update) often require two or three reboots to complete. If you use -RebootCount 1 or -RebootCount 2, BitLocker may rearm itself before the firmware cycle is done, putting you right back in the loop.
After running that command, you should see output confirming that BitLocker protection has been suspended for the C: volume. Now go ahead and install your Surface firmware updates, either through Windows Update, the Surface app, or your enterprise deployment tool of choice.
Once the firmware updates are fully installed and the device is booting normally into Windows, resume BitLocker immediately:
Resume-BitLocker -MountPoint "C:"Verify that BitLocker is active again and protecting the volume:
manage-bde.exe -status C:The output should show Protection Status: Protection On and Conversion Status: Fully Encrypted. If you see "Protection Off" after running Resume-BitLocker, wait a moment and run the status check again, it sometimes takes a few seconds for the status to update. If it stays off, re-run the Resume-BitLocker cmdlet.
For scripted deployments across a fleet, you can wrap this in a simple PowerShell script that suspends before the firmware install, waits for the update to complete, and then resumes, but test it thoroughly on one machine before rolling it out at scale.
This step is about permanent prevention, not just one-time recovery. If your BitLocker ended up bound to non-default PCR values in the first place, it means something changed your device's Secure Boot configuration at some point. Fixing the immediate firmware update issue without correcting the underlying PCR configuration means you'll hit this exact same problem again next time there's a firmware update, and Surface firmware updates come out regularly.
With BitLocker suspended (from Step 4), boot your Surface device into UEFI settings. The method depends slightly on model, but for most modern Surface devices: hold the Volume Up button, then press and release the Power button. Keep holding Volume Up until the Surface UEFI settings screen appears.
In the UEFI settings interface, navigate to the Security section. Look for the Secure Boot option. If it's set to Off or Disabled, enable it. The setting is typically labeled "Secure Boot", change to "Microsoft Only" or "Enabled" depending on your firmware version.
Save and exit the UEFI settings. Windows will boot normally (BitLocker is still suspended so you won't get a recovery prompt). Once you're back in Windows, check the PCR values again:
manage-bde.exe -protectors -get C:With Secure Boot now enabled and correctly configured, BitLocker should automatically recognize that the boot environment matches the expected PCR 7 and PCR 11 profile. Resume BitLocker protection:
Resume-BitLocker -MountPoint "C:"If you had Group Policy settings that were explicitly overriding the PCR validation profile, you'll also need to address those. The relevant Group Policy path is: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Configure TPM platform validation profile for native UEFI firmware configurations. If this policy is enabled and set to anything other than PCR 7 and PCR 11, either update the policy or set it back to "Not Configured" to allow BitLocker to use its secure default selection. After a gpupdate /force and a reboot, the PCR binding should normalize to the safe default state.
Run manage-bde.exe -status C: one final time to confirm everything looks good before declaring the device healthy and returning it to service.
Advanced Troubleshooting for Windows Devices Not Working at Enterprise Scale
The steps above handle individual machines. But in an enterprise environment managing hundreds or thousands of Surface devices, you need to think about these issues differently, at the fleet level. Here's how to get on top of both the MDT deployment issue and the BitLocker PCR problem across your whole org.
MDT Deployment at Scale, Managing Multiple Task Sequences
The official Microsoft guidance is clear: a task sequence targeting Disk2 for Storage Spaces devices cannot be shared with standard single-SSD devices. This is non-negotiable. In practice, the cleanest approach is to maintain two separate deployment task sequences: one for your Storage Spaces 1-TB Surface fleet and one for everything else. You can use MDT's dynamic variable list and database queries to automatically select the right task sequence based on the device's Make and Model. In CustomSettings.ini, a rule like this can help:
[Surface Pro (5th Gen)]
OSDDiskIndex=2
[Surface Laptop]
OSDDiskIndex=2
[Default]
OSDDiskIndex=0Test this logic carefully, MDT's model detection pulls from WMI and the exact string it returns for "Surface Pro (5th Gen)" may vary. Use wmic computersystem get model on the device itself to confirm the exact string before building rules around it.
BitLocker at Scale, Group Policy and SCCM/Intune Integration
If you're managing BitLocker through Group Policy or Microsoft Intune, the PCR configuration policy is likely being pushed from the top down. Before any fleet-wide firmware update campaign, audit your BitLocker GPO settings. Pull a report of all devices showing non-default PCR bindings using PowerShell remoting:
Invoke-Command -ComputerName $deviceList -ScriptBlock {
manage-bde.exe -protectors -get C: | Select-String "PCR"
}Any device returning PCR values other than 7 and 11 needs the Secure Boot + PCR remediation treatment before it gets a firmware update. Tag those devices in your CMDB and create a separate pre-update remediation task for them.
Event Viewer Analysis for BitLocker Loop Diagnosis
When a device is stuck in a BitLocker recovery loop and you're not sure if the issue is PCR-related or something else, the Windows event logs can help. If you can get the device to boot into WinRE, open Event Viewer and navigate to Applications and Services Logs > Microsoft > Windows > BitLocker-API > Management. Event ID 853 indicates that BitLocker found a change in the boot configuration that doesn't match the sealed PCR measurements. Event ID 778 means the TPM was unable to seal the BitLocker keys, which often points to a TPM firmware version issue. These event IDs help you distinguish between a PCR mismatch (fixable with Secure Boot remediation) and a more serious TPM hardware problem (which may require a TPM reset or escalation).
When a TPM Reset May Be Required
In rare cases, particularly after a failed or interrupted dTPM firmware update, the TPM itself may be in a bad state. A stuck or corrupted TPM cannot seal new BitLocker keys, which means even after you fix the PCR configuration, BitLocker can't resume properly. Signs of this include BitLocker resuming successfully in PowerShell but the device still prompting for recovery at next boot, or manage-bde.exe -status showing "Protection On" but "Conversion Status: Fully Decrypted." A TPM reset through UEFI (Security > Clear TPM) will resolve this, but it will also invalidate all TPM-protected keys, including your BitLocker keys. Have your recovery key ready and backed up before you do this.
Prevention & Best Practices for Windows Devices Not Working in the Future
Both issues covered in this guide are entirely preventable with the right preparation. I've watched organizations hit these problems repeatedly, the MDT Disk0 error on every new Surface refresh, the BitLocker loop every firmware cycle, simply because no one took 20 minutes to lock in the right procedures once and document them properly. Here's how to make sure you're never in this situation again.
Build device-awareness into your MDT structure from day one. Every Surface device model that enters your fleet should be catalogued for its storage configuration. Before a new model ships, check Microsoft's documentation to confirm whether it uses Storage Spaces or a single SSD. Create a dedicated task sequence for any Storage Spaces model, label it clearly ("Surface 1TB Storage Spaces Deployment"), and restrict it so it can only be selected for the appropriate device types. Don't rely on technicians remembering, enforce it through MDT's device collection rules.
Automate PCR checks as part of your pre-patch process. Before any firmware update campaign, run a fleet-wide PCR audit. This is a five-minute PowerShell script, not a project. Build it into your patch preparation runbook and run it at the start of every Surface firmware update cycle. Non-compliant devices get suspended BitLocker and Secure Boot remediation before the firmware goes out. Compliant devices go straight to the update. No exceptions.
Rotate and escrow your BitLocker recovery keys regularly. Recovery keys should live in Active Directory, Azure AD, or your enterprise key management solution, not in someone's spreadsheet. Audit recovery key escrow health monthly. A device with no escrowed recovery key is a device that becomes a paperweight if the unexpected happens. This matters doubly for Surface devices, because their firmware update cadence is active and their BitLocker interaction is more complex than standard PCs.
Test firmware updates on a canary group first. Never push a Surface firmware update to the whole fleet simultaneously. Pick 5-10 representative devices, push the update to those first, watch them through two or three reboot cycles, confirm BitLocker re-engages properly, and only then roll out to the broader fleet. This 48-hour canary period has saved more than one admin from a fleet-wide incident.
- Run
manage-bde.exe -protectors -get C:on every new Surface before it leaves your hands, confirm PCR 7 and PCR 11 are the only values listed - Add an MDT pre-flight check that queries the device model and automatically selects the correct disk index before the partitioning step runs
- Configure Azure AD or AD DS to automatically backup BitLocker recovery keys, verify this is working, not just configured
- Maintain a dedicated Surface firmware update runbook that includes the Suspend-BitLocker step as a mandatory pre-update action for all BitLocker-enabled machines
Frequently Asked Questions
Why does my MDT deployment fail with "Disk(0) was not found" only on Surface Pro 1TB but not on other machines?
It comes down to how the 1-TB configuration is built on specific Surface models. Devices like the Surface Pro 5th Gen and Surface Laptop 1st Gen with 1-TB storage use Microsoft Storage Spaces to combine two 512-GB SSDs into a single virtual drive. Storage Spaces volumes are listed after physical drives in the disk enumeration order, so the virtual drive ends up at Disk2 or Disk3, not Disk0. Other Surface models with 1-TB storage (Surface Pro 7, Surface Laptop 3) use a single physical SSD and don't have this problem. The fix is changing your MDT task sequence to target Disk2 instead of Disk0 for the affected models.
My Surface is stuck in a BitLocker recovery loop after a firmware update and the recovery key doesn't stop the reboots, what do I do?
Entering the recovery key over and over won't help, the root issue is that BitLocker's PCR binding no longer matches the post-firmware boot environment. Boot into Windows Recovery Environment (WinRE) by holding Shift and clicking Restart from the login screen. Open Command Prompt from the Advanced Options menu. Run Suspend-BitLocker -MountPoint "C:" -RebootCount 0 to lift the BitLocker check. The device should now boot normally. Once you're in Windows, check that Secure Boot is enabled via UEFI settings and run Resume-BitLocker -MountPoint "C:" to re-engage protection.
Is it safe to suspend BitLocker before a firmware update? Won't my data be exposed?
Suspending BitLocker does not decrypt your drive or remove your encryption keys, it simply tells BitLocker to skip the TPM measurement check for a defined number of reboots. Your data remains fully encrypted the entire time. This is Microsoft's own official recommendation for handling UEFI and TPM firmware updates safely. The risk window is narrow (just the update cycle) and far smaller than the alternative, which is a device that won't boot at all. Always resume BitLocker immediately after the firmware update completes using Resume-BitLocker -MountPoint "C:".
How do I check which PCR values BitLocker is using on my Surface device?
Open an elevated command prompt and run manage-bde.exe -protectors -get C:. In the output, look for the "PCR Validation Profile" line under the TPM protector. You want to see only 7, 11 listed there. PCR 7 corresponds to Secure Boot state, and PCR 11 corresponds to the BitLocker access control. If you see any other PCR numbers listed, particularly 0, 2, 4, or 8, your configuration has been customized and you're at risk of a recovery loop after firmware updates. Restore Secure Boot and check whether Group Policy is overriding the PCR selection.
If I change my MDT task sequence disk number to 2, will it break deployments on non-Surface devices?
Yes, it absolutely will, and Microsoft explicitly flags this in the official documentation. A task sequence targeting Disk2 is device-specific and cannot be shared with standard PCs or Surface models that use a single SSD. On a normal machine, Disk2 may not exist or may point to a secondary storage device or USB drive, leading to catastrophic partitioning errors. You need to maintain separate task sequences for your Storage Spaces Surface devices and your standard hardware. Use MDT's dynamic variable rules or device collection filtering to enforce which task sequence gets applied to which hardware.
Does an SD card inserted in a Surface affect which disk number to use in MDT?
Yes, it does. On the affected Storage Spaces Surface models, the disk enumeration order is: physical SSD #1 (Disk0), physical SSD #2 (Disk1), SD card if present (Disk2), and the Storage Spaces virtual volume (Disk3). Without an SD card, the virtual volume lands at Disk2. With an SD card inserted, it shifts to Disk3. The simplest fix is to standardize your deployment process by removing all SD cards from Surface devices before imaging, then targeting Disk2 consistently. If SD cards must remain during deployment for operational reasons, target Disk3 and add a note to your runbook about this dependency.