Feature Request: cannot authenticate to Preboot Authentication using a USB token plugged into a USB 3.0 (or xHCI-based) port with Symantec Endpoint Encryption Drive Encryption 11.x and above

book

Article ID: 162289

calendar_today

Updated On:

Products

Endpoint Encryption

Issue/Introduction

There have been reports that PIV Cards, Smartcards, or Tokens not able to authenticate at the Preboot Authentication screen when plugged in to USB 3.0 ports (xHCI connections).  Legacy BIOS (MBR) may also not allow use of USB 3.0 ports at the Preboot authentication screen by PIV cards, Smartcards, or Tokens, which may prevent authentication.  USB 1.0 and 2.0 can also run into this limitation if the system is using xHCI connections (USB 3.0) running in Legacy BIOS (MBR) mode.  Although there are some limitations to using USB 3.0 ports on systems, this article will provide some guidelines which may allow these devices to function.

NOTE: Systems using only USB 3.0 ports will not allow any USB devices at Preboot, including keyboards.

Resolution

A Feature Request has been submitted to allow the use of USB 3.0 (xHCI) within the Preboot Environment, out of the box.

The following troubleshooting steps can be attempted to get USB 3.0 working with some modifications in the BIOS configuration:
 

  1. Try connecting the affected device to a USB 2.0 port.  Typically USB 2.0 ports are black where USB 3.0 ports are blue.
  2. Remove or disable any non-essential USB and PCI peripheral devices that may be connected to your machine.  This may include certain built-in fingerprint readers and cameras that can be disabled through the BIOS.
  3. If the laptop is docked, undock the machine and try again.
  4. Disable Fast/Quick Boot options in the BIOS as these have been known to block USB ports regardless of USB port version.
  5. Disable any Power Saving features in the BIOS.
  6. If available, disable xHCI (USB 3.0) and use EHCI (USB 2.0) within the BIOS configuration.  This may require flashing the BIOS.  See applicable vendor for steps to do this.
  7. If using UEFI BIOS (GPT), ensure UEFI BIOS is fully updated.  Consult with BIOS vendor for assistance.
  8. Some laptops will not power on any USB ports unless booting from an external drive.  Consult your system's user menu and find the procedure needed to boot from a USB device.  Once the working port is confirmed, plug in the Smartcard device into that port to see if it will boot.


Caveats:
If Legacy BIOS is being used, and the above guidelines still do not allow the devices to be used on USB 3.0 ports, it may be necessary to switch to UEFI (GPT).  Work with the applicable hardware vendor for proper steps to switch to UEFI BIOS (GPT).

Dell, HP, and Microsoft Surface Pro systems typically use AMI, HP, and Surface UEFI firmware for the BIOS.  Symantec has tested PIV Cards, Smartcards, and tokens running on various models from these vendors.  If the system in question is not using an AMI, HP, or Surface-branded UEFI, the devices may not function properly.
 

Symantec Corporation is committed to product quality and satisfied customers. This Feature Request was reviewed by Symantec Corporation to be addressed and was addressed in Symantec Endpoint Encryption 11.1.3 and above. 

NOTE: In many cases, Fast/Quick Boot may still need to be disabled in order for USB devices to work in USB 3.0 ports at Preboot.  Fast/Quick Boot in the BIOS will skip certain POST operations and not all devices may be sufficiently powered on during boot, or even be enabled.  If a keyboard continues to to register keystrokes, disable Fast/Quick Boot in the BIOS to help.

A similar Feature Request has been submitted for Symantec Drive Encryption 10.4.  For information on this request, see article TECH174550.