Making the assumption that you are using BitLocker for device encryption (and why wouldn't you), the solution may have an issue with enforcing encryption with a TPM + PIN key protector on tablet computers. The reason is that tablets, by definition, do not necessarily have a physical keyboard attached in order for the user to enter in a PIN. Because that entry screen happens before the full OS is loaded, the drivers necessary for operating the touch functionality are not loaded (in most cases).

Please take a look at this blog post on TechNet: http://blogs.technet.com/b/askpfeplat/archive/2014/07/14/bitlocker-pin-on-surface-pro-3-and-other-tablets.aspx

So, how to handle for this solution? You have a couple of choices. The first is to enable the Group Policy mentioned in that TechNet article and force the user to use a physical keyboard (or find one if necessary). If you have a Surface Pro 3 and Windows 10, bonus, you get an on-screen keyboard with touch functionality, so problem solved.

The second option is to modify the CustomSettings.ini and, in the make/model section for that computer type, add a BDEInstall=TPM line, which will override the settings for the role and use just the TPM chip to encrypt the drive. If you have other group policies that require a PIN, you'll need to rectify those separately.