Skip to main content

Using DESlock+ with Microsoft Surface devices - Kennisbank / ESET Endpoint Encryption - ESET Tech Center

Using DESlock+ with Microsoft Surface devices

Authors list

Windows RT

The DESlock+ client only supports machines running an x86 based processor.  You cannot use the DESlock+ software with devices that run the Windows RT operating system (i.e. Surface and Surface 2).

The Microsoft Surface devices which run the full edition of Windows (currently Surface Pro, Surface Pro 2, Surface Pro 3 and Surface 3) can use the granular encryption features (encrypted emails, encrypted folders etc.) with no special steps required.

 

Surface Pro 4 and Surface Book

You should ensure you use v4.8.4 or later of the DESlock+ client which introduced compatibility with the NVMe storage used in these devices.

Attempts to use Full Disk Encryption to encrypt Surface 4 or Surface Book devices with v4.8.2 or v4.8.3 will be blocked because no disks will be presented for encryption.  Attempts with versions prior to that will prevent the system from booting and require the recovery CD is used to regain access.

 

Full Disk Encryption

To use a Surface device (or any touch based input PC) with DESlock+ Full Disk Encryption you will require an external keyboard connected in order to enter your security credentials to the Full Disk Encryption pre-boot menu to start the system.  Once Windows has loaded the system will behave as normal and the on screen input can be used as normal.

 

If you are using a Surface Pro or Surface Pro 2 device, the Microsoft UEFI Certification Authority certificate should be installed before initiating Full Disk Encryption on the machine.  This can be downloaded at the Microsoft website:

http://www.microsoft.com/en-us/download/details.aspx?id=41666&751be11f-ede8-5a0c-058c-2ee190a24fa6=True

 

If you have already commenced Full Disk Encryption without updating the certificate, you will need to disable the Secure Boot option in the BIOS to allow the system to boot Windows.  With Secure Boot disabled to allow the system to load you will not be able to apply the certificate file with the machine encrypted.  If you find yourself in this situation please contact the support team by submitting a ticket for assistance.

 

Surface Keyboards

We have had reports of the Microsoft Surface keyboard covers being successfully used with the Surface devices to enter credentials to boot a Full Disk Encrypted system.  

However if after encryption your Touch Cover or Type Cover is not active after reboot you may need to perform the following workaround to start the system. 

Ensure your Surface keyboard is connected.  From a powered off state, press the Power button and the volume down button at the same time.  When the DESlock+ Full Disk Encryption pre-boot screen is shown, use the keyboard to login as usual.

In addition we have had reports that use of the Caps Lock key can cause an empty character to be entered when typing a Full Disk Encryption password.  If you experience this effect you should use the shift key together with the character requiring uppercase entry instead.

Can I use a Wireless or Bluetooth Keyboard?

You may have a wireless or bluetooth that you use with your PC or tablet. Bluetooth keyboards cannot be used in the full disk encryption (FDE) login screen due to the required bluetooth stack not running until Windows starts. Due to the FDE login screen launching before Windows does, a bluetooth device will not work with it.

However, a wireless keyboard may work. If the wireless keyboard works correctly in the BIOS then it should work in the pre-boot FDE login screen. You may need to ensure that the BIOS allows Legacy USB Emulation.

Alternatively, an external keyboard that is physically connected to the machine will work, such as a USB cabled keyboard.

 

Known Issue

Full Disk Encryption Login Screen Size

Currently the pre-boot FDE login window does not fill the screen fully. The login screen is initialized as an 80x25 character screen and the graphics card will scale the screen automatically to fit the resolution. The scaling of the login screen is controlled by the firmware or the display of the Surface 4 hardware.

We are hoping in the future to improve support for high resolution screens by switching to a graphical bootloader, however there is currently no timescale for this. To keep informed of new DESlock+ upgrades, you can subscribe to our news feed by visiting:
KB274 - 'How do I subscribe to the newsletter?'


Keywords: surface, pro, keyboard, tablet, Microsoft, on-screen

Add a comment

Please log in or register to submit a comment.

Need a password reminder?