Symantec Drive Encryption or Symantec Endpoint Encryption may prevent Surface Pro systems, or other Microsoft hardware from booting.
Some of the UEFI's "Secure Boot" options seem to be the cause of some Surface Pro systems to become unbootable.
UEFI's "Secure Boot" option should be configured as "Microsoft with 3rd Party CA" if available. Microsoft will consider any third-party software not authorized to run on these systems and as a result will not allow other third-party programs to properly boot with Secure Boot, even though the software is properly signed with valid digital certificates. Without setting this option, the system may still not boot with PGP or SEE.
In order to allow Symantec Encryption software to encrypt these systems, enable this option in the UEFI BIOS settings: