Video Screencast Help

Symantec Encryption Desktop 10.3.1 w/ Surface Pro W8/8.1

Created: 18 Oct 2013 | 11 comments

Since 10.3.1 came out we have had success with Windows 8 on the Surface Pro.

The problem is we have to disable Secure Boot for it to boot with encryption installed. Why is this?

Also, due to disabling Secure Boot, now since upgrading to Windows 8.1 we have the water mark in Windows about Secure Boot isnt configured correctly.

Before the device is encrypted and with Secure Boot enabled, that message isnt there.

Bottom line is, what is it going to take to get the Surface Pro working with Secure Boot enabled with Encryption? I dont want to have to choose.

BTW, the error message you get when you boot after the device is encrypted and you go to start it up is as follows.

Secure Boot Violation. Invalid Signature Detected. Check Secure Boot Policy in Setup.

Again, this only pops up after its finished encrypted and you restart for the first time. Disabling Secure Boot gets me to boot guard.

Operating Systems:

Comments 11 CommentsJump to latest comment

Alex_CST's picture

I'm guessing that Symantec haven't got round to talking to Microsoft to allow BootGuard past the Trusted Boot / Secure Boot status.

It's not an error with the coding, more a political issue (I assume) 

Please mark posts as solutions if they solve your problem!

http://www.cstl.com

Anthony_Betow's picture

Microsoft uses Secure Boot to check your systems software to vaildate its authenticity.  If secure boot finds rootkits or malware then secure boot blocks these viruses from loading into the operating system. 

This is a security feature from Microsoft.  Disabling Secure Boot should allow your PGP to work properly.

Matt L's picture

Yes, PGP works IF i disable Secure Boot. Once on the desktop in 8.1, the watermark will not go away with Secure Boot disabled.

So I am SOL on the Surface Pro with 8.1 and Symantec Encryption? People will be constantly calling me about why they have this message on the screen.

Anthony_Betow's picture

Hi Matt,

The only way to remove the watermark is enabling the Secure Boot but this conflicts with PGP.  This hasn't been addressed by Microsoft yet.  This may be addressed in later versions of PGP for the Bootguard to load before Secure Boot. 

Look for firmware updates for the Bios which this may have an option to remove the Watermark if the manufacturer puts that bios feature in there.  This maybe addressed in a future update with Microsoft.

PGP_Ben's picture

We should be compatible with Secure Boot. But we have had several "known issues" in relation to how Secure Boot is enabled in the EFI/BIOS level on a few different models. I would suggest seeing if there is a Firmware/BIOS update on the machine which may help.

For the record, we do not officially support Microsoft Windows 8.1 yet. It is in the roadmap for a future release though.

If/when you consider your issue resolved, please click Mark As Solution on the most helpful response.

tbross319's picture

You all may want to check out this Microsoft KB that apparently removed the watermark for secure boot http://support.microsoft.com/kb/2902864 :)

Matt L's picture

This does seem to remove the watermark.

Now if only the Surface Pro 2 didnt have a blazing Red boot screen when you disable Secure Boot for Encryption to work!.

Ben, I know its not officially supported but other than Secure Boot, Encryption seems to work fine with 8.1.

Another problem with Surface Pros though is that th emonthly System Firmware via WIndows Updates will fail with Encryption. Not a big deal, just annoying.

giab's picture

Hi Matt,

I use Encryption Desktop since 1 month. I have a trial version, which is about to expire in a couple of days.

Surface Pro2 has some issues with the latest firmware update. We will have to update to the latest firmware version - when Microsoft will release it. What can we do? I checked in Windows Updates and I can see that December update figures there as failed... although some changes went through.

You mention that the firmware update is just annoying for you, but not a big deal. How do you plan to allow Surface to get the updates? Any tip & trick you can share?

Thanks!

Gia

Matt L's picture

Gia,

I have not played around with the Surface 2 Pro lately but what I have noticed on the Surface is that if there is a hardware/firmware update available in Windows Update for the Surface, it will fail with Encryption. Im sure its the UEFI restricting.

So if you want those specific updates, would have to decrypt first it seems. :(

giab's picture

Thank you Matt... I had a look to see if bitlocker leads to the same issue with firmware update. It doesn't seem like. I hope Symantec will deliver a fix for this.
Cheers,
Gia

PGP_Ben's picture

This is documented in our release notes for Symantec Encryption Desktop 10.3.2 FYI:

http://www.symantec.com/docs/TECH203071

Incompatibility with Microsoft Surface Pro laptops when Secure Boot is enabled on Microsoft Windows 8/8.1 UEFI systems. Symantec Drive Encryption is incompatible with Microsoft Surface Pro laptops when Secure Boot is enabled (a boot failure occurs when restarting your system after encrypting it). To temporarily work around this issue, disable Secure Boot in your system UEFI settings. For more information, refer to the instructions that came with your system. Note that this is an issue with the Microsoft Surface Pro laptop and could be resolved by Microsoft in the future. [3319192]

I put the bottom text in bold (it wasn't originally in bold).  This is because this appears that this was an issue which we asked Microsoft to work with us to resolve. To my knowledge, the Surface Pro tablet is one of the few tablets I have  seen a problem with having this feature enabled.

If/when you consider your issue resolved, please click Mark As Solution on the most helpful response.