[KB7132] Use ESET Endpoint Encryption with Microsoft Surface devices

 

Issue

Solution

Windows RT compatibility

The ESET Endpoint Encryption (EEE) client only supports machines running an x86-based processor.  You cannot use the EEE software with devices that run the Windows RT operating system such as Surface and Surface 2.

Surface Pro 4 and later or Surface Book

Make sure you use ESET Endpoint Encryption client version 4.8.4 or later, which introduced compatibility with the NVMe storage that is used in these devices. Attempts to use Full Disk Encryption to encrypt Surface 4 or Surface Book devices with v4.8.2 or v4.8.3 will be blocked because no disks will be presented for encryption. A managed client will show the Workstations Details 'Disk Information' notification as shown below:
 

Figure 1-1

 

Using EEE client versions earlier than 4.8.2 will prevent the system from starting and require the use of the recovery CD to regain access. The following articles have more information on Full Disk Encryption recovery for servers and for clients


Surface Go

The Surface Go operating system only allows users to install applications from the Microsoft store. You will be unable to install the EEE client as it is an MSI package. If you try and run the client, it will display the following notification:

Figure 1-1

To allow the system to install the EEE client, visit the following Microsoft article to switch your operating system out of S mode.


Full Disk Encryption

If you are using a Surface Pro or Surface Pro 2 device, the Microsoft UEFI Certification Authority certificate should be installed before initiating Full Disk Encryption on the machine.  The certificate can be downloaded from the Microsoft website here.

Surface Pro version

The Surface Pro referred to above is the original 2013 version, not the more recent 2017 or later version that might also report itself as a Surface Pro.

If you have already started Full Disk Encryption without updating the certificate, you will need to disable the Secure Boot option in the BIOS to allow the system to boot Windows.  Secure Boot disabled allows the system to load and you will now be able to apply the certificate file with the machine encrypted. If you require assistance, please contact the support team by submitting a ticket.


Surface Keyboards

If after encryption your Touch Cover or Type Cover is not active after a restart, you may need to perform the following workaround to start the system:

  1. Verify that your Surface keyboard is connected. 
  2. From a powered off state, press the Power button and the volume down button at the same time. 
  3. When the EEE Full Disk Encryption pre-boot screen is shown, use the keyboard to log in.

In addition, we have reports that use of the Caps Lock key can cause an empty character to be entered when typing a Full Disk Encryption password.  If you experience this behavior, use the Shift key together with the character requiring uppercase entry instead.

Alternatively, 'Touch Screen' Support has now been added to v4.9.0 and later.

Can I use a Wireless or Bluetooth Keyboard?

You may have a wireless or Bluetooth keyboard that you use with your PC or tablet. Bluetooth keyboards cannot be used in the full disk encryption (FDE) login screen due to the required Bluetooth stack not running until Windows starts.

Because the FDE login screen launches before Windows does, a Bluetooth device will not work with it. However, a wireless keyboard may work. If the wireless keyboard works correctly in the BIOS then it should work in the pre-boot FDE login screen. You may need to make sure that the BIOS allows Legacy USB Emulation.

Alternatively, an external keyboard that is physically connected to the machine will work, such as a USB cabled keyboard.


Known Issues

Full Disk Encryption Login Screen Size
In earlier versions, the pre-boot FDE login window does not fill the screen fully. The login screen is initialized as an 80x25 character screen and the graphics card will scale the screen automatically to fit the resolution. The scaling of the login screen is controlled by the firmware or the display of the Surface 4 hardware.

Starting with v4.9.2, support has been added to improve the graphics for high-resolution screens and a zoom feature has been introduced. Please see the following article for more information.


Storage Spaces

Using Microsoft Storage Spaces allows you to combine multiple disks into a single pool of virtualized storage. This has been performed in recent Surface Pro 2017 Devices that have 2 x 512GB SSD's which have been combined to advertise as 1TB of storage. Instead of having one physical disk, there are multiple disks that are merged. Please see the following Microsoft article for more information.

Storage Spaces is essentially a software-configured RAID (redundant array of independent disks) which is not currently supported by EEE.