There have been reports that PIV Cards, Smartcards, or Tokens not able to authenticate at the Preboot Authentication screen when plugged in to USB 3.0 ports (xHCI connections). Legacy BIOS (MBR) may also not allow use of USB 3.0 ports at the Preboot authentication screen by PIV cards, Smartcards, or Tokens, which may prevent authentication. USB 1.0 and 2.0 can also run into this limitation if the system is using xHCI connections (USB 3.0) running in Legacy BIOS (MBR) mode. Although there are some limitations to using USB 3.0 ports on systems, this article will provide some guidelines which may allow these devices to function.
NOTE: Systems using only USB 3.0 ports will not allow any USB devices at Preboot, including keyboards.
A Feature Request has been submitted to allow the use of USB 3.0 (xHCI) within the Preboot Environment, out of the box.
The following troubleshooting steps can be attempted to get USB 3.0 working with some modifications in the BIOS configuration:
If Legacy BIOS is being used, and the above guidelines still do not allow the devices to be used on USB 3.0 ports, it may be necessary to switch to UEFI (GPT). Work with the applicable hardware vendor for proper steps to switch to UEFI BIOS (GPT).
Dell, HP, and Microsoft Surface Pro systems typically use AMI, HP, and Surface UEFI firmware for the BIOS. Symantec has tested PIV Cards, Smartcards, and tokens running on various models from these vendors. If the system in question is not using an AMI, HP, or Surface-branded UEFI, the devices may not function properly.
Symantec Corporation is committed to product quality and satisfied customers. This Feature Request is currently being considered by Symantec Corporation to be addressed in a forthcoming version of the product.
There is no guaranteed date for this request from the Encryption Product Management team, or the Encryption Engineering team at this time. Please be sure to refer back to this article periodically as any changes to the status of the request will be reflected here. You can also subscribe to this article to receive notification when it is updated.
To have your organization added to the list of companies that desire this Feature Request, please contact technical support.
A similar Feature Request has been submitted for Symantec Endpoint Encryption 11.x. For information on this request, see article TECH232347.