Symantec Endpoint Encryption 11.2 introduced a TPM integrity-check feature that disables the Autologon functionality at preboot if TPM has been tampered with.
After upgrading to a version that included this feature, the machine would stop at the Preboot Authentication screen. In scenarios where users have not logged in to register with Symantec Endpoint Encryption, authentication will not be possible.
Surface Pro 4
It was discovered that systems that use TPM but use SHA1 as the algorithm will run into this issue with the "TPM" option configured for Autologon.
SEE will not consider SHA1 as a secure algorithm to be used with TPM, and as a result, disables the Autologon functionality. If you have systems that exhibit this behavior, disable the "Use TPM if available" option and create a new SEE Autologon client and the issue should go away. Systems that use SHA256 are fine and should be compatible with this TPM integrity check.
If this still does not resolve the issue, contact Symantec Support for more information and troubleshooting.
Subscribing will provide email updates when this Article is updated. Login is required.