SecureDoc Pre-boot for BitLocker (SDOT) not supported on Microsoft Surface Pro 1, 2, 3-series tablets under V6.5
SecureDoc does not SecureDoc Pre-Boot for Bitlocker (internal name SDOT - SecureDoc on Top) deployment on Microsoft Surface devices (1, 2, and 3). This affects SecureDoc at the V6.4, V6.4SR1 and V6.5 versions, running on Windows 8.x platform computers.
On Microsoft Surface Pro (or other slate device), BitLocker recovery (which SecureDoc uses to authenticate to BitLocker) occurs within the WinPE environment instead of regular boot. As a result SDOT on Surface Pro will leave the regular boot sequence and will boot into WinPE, where currently our unlocking mechanism will fail.
User will observe “please wait unlock message…” at boot they will be able to log into Windows.
The current architecture does not support this. We have to look into using TPM measurement manipulation instead of BitLocker Recovery password in the future.
WORK-AROUNDS: To protect Microsoft Surface Pro devices, you can do the following
- Use regular SecureDoc package (SecureDoc pre-boot with SecureDoc encryption) [OR]
- Use a SecureDoc BitLocker Management (SDBM) profile and package (Bitlocker encryption managed by SecureDoc without pre-boot)