board logo
Lemonde
  • Lemonde
  • 100% (Exalted)
  • Advanced Member Topic Starter
7 months ago
I have a Microsoft Surface Laptop 3 That has been wiped with a 3rd party cleansing software but I cannot get it to boot from PXE

I have use the PXE to boot on other machines without a problem and I have tried multiple USB/LAN connectors/docking stations etc.

PXE is enabled in the loader

It just fails to find a boot device and comes back to the config screen.

I have also tried a USB boot to no avail.
Refurbished Computers Berkshire 
Data Recovery Berkshire 
View All Posts by User
Sponsor

Want to thank us? Use: Patreon or PayPal or Bitcoins: bc1q4whppe29dw77rm4kv4pln0gqae4yjnxly0dny0hky6yhnafukzjsyrsqhk

All opinions expressed within these pages are sent in by members of the public or by our staff in their spare time, and as such do not represent any opinion held by sircles.net Ltd or their partners.

sirclesadmin
7 months ago

That is a frustrating problem unique to the Microsoft Surface line, which are designed to be tightly secured. You've hit a well-documented roadblock where Microsoft's security protocols actively prevent what you're trying to do.


The key to your issue is not that your PXE environment is wrong (since it works on other machines), but that the Surface Laptop 3 (SL3) has layers of security that lock down the boot process:



  • Security Feature: The SL3 is designed to boot only from specific, digitally-signed Microsoft boot images, or from certified Microsoft-branded USB/LAN adapters.

  • The Wipe: Your third-party cleansing software likely wiped the internal drive and perhaps some of the boot partitions, but left the UEFI firmware in a highly restricted state, preventing it from trusting your external boot sources (USB/PXE).


Since you are a seasoned recycler and have tried multiple non-Microsoft connectors, we need to focus on two distinct, advanced solutions:



Option 1: Microsoft's Hyper-Specific Requirements (The "Unlock")


The SL3 requires an extremely precise sequence and certified hardware to initiate an external boot:


A. Certified Hardware Lockout



  • Problem: Microsoft often limits PXE/USB-to-Ethernet boot only to their official Surface Dock or Microsoft-branded USB-C to Ethernet adapter. Generic adapters are often rejected by the firmware for security reasons.

  • Action: If you have access to an official Microsoft-branded USB-C to Ethernet adapter or a Surface Dock, try booting with that specific adapter again. This is often the fix for PXE failure on Surface.


B. UEFI/Secure Boot Verification


Although you enabled PXE, the machine is likely looping because it sees your PXE request but rejects the unsigned network stack.



  1. Access UEFI: Power off the SL3. Press and hold the Volume Up button, then press and release the Power Button. Continue holding Volume Up until the UEFI screen appears.

  2. Verify Secure Boot State: Navigate to Security or Boot Configuration.

    • Secure Boot: This must be set to Disabled or configured to allow "Microsoft & 3rd Party CA" (Certificate Authorities). Disabling is safer for generic PXE/USB boot.



  3. Initiate Boot Manually: In the UEFI Boot Configuration screen, find the PXE Network or USB Storage device. Instead of relying on the boot order, swipe left on the device (or use the equivalent touch/click command) to select "Boot this device immediately."

  4. Try Again: Restart and see if the dedicated "Boot this device immediately" command forces the connection.



Option 2: The Official Surface Recovery Image (The Best USB Fix)


Since generic USBs may also fail, the single most reliable way to force the SL3 to accept a clean OS is using Microsoft's own factory image:



  1. Download Recovery Image: Go to the official Microsoft Surface Recovery Image Download Page (you will need the SL3's full serial number for the download).

  2. Create the Official USB: Download the image and follow Microsoft's exact instructions (often involves a 16GB/32GB USB stick formatted as FAT32 and extracting the contents of the image file directly to the USB's root).

  3. Boot with Key Sequence:

    • Power Off the SL3.

    • Insert the Official USB Recovery Drive.

    • Press and hold the Volume Down button (not Volume Up).

    • Press and release the Power Button.

    • Continue holding Volume Down until the Microsoft/Surface logo appears and spinning dots appear beneath it.



  4. Select Reset: If successful, the device will boot into the Microsoft Recovery Environment, where you can select Troubleshoot and Recover from a Drive to reinstall a factory-fresh OS.


Given your situation, I would prioritize Option 2 (creating and using the official recovery image), as it bypasses the Secure Boot issues by using a source that the SL3 is hard-coded to trust.


Which of these two options would you like to attempt next?

IT Support Berkshire 
Buy new and refurbished computer equipment 
View All Posts by User
Lemonde
  • Lemonde
  • 100% (Exalted)
  • Advanced Member Topic Starter
7 months ago
It seems odd though as PXE is an option in the boot config and swiping left with teh lower security settings it finds nothing or perhaps it just does not show the 'press F12 or Enter' screen and so just goes back to the boot options.
Refurbished Computers Berkshire 
Data Recovery Berkshire 
View All Posts by User
Lemonde
  • Lemonde
  • 100% (Exalted)
  • Advanced Member Topic Starter
7 months ago

That feeling of "oddness" is precisely what makes the Surface devices so frustrating for recyclers and IT professionals alike! You've accurately described the core problem.


You are correct that on a regular PC, when you manually select "PXE Network" (swiping left), the machine should either:



  1. Immediately attempt the network boot.

  2. Drop to a classic "Press F12 for Boot Menu" prompt.


The fact that the Surface Laptop 3 (SL3) just finds nothing and loops back to the config screen confirms a very specific failure mode common to the Surface line.



Why the Surface Fails to Boot (Even When Configured)


This issue happens because the Surface's UEFI does not fully trust the network adapter/PXE stack unless it passes a complete security check.





















Symptom You See Reason Why It Fails
"Finds nothing" The SL3 often has a firmware-level whitelist for bootable network adapters. If you are using a generic USB-C to Ethernet adapter, the UEFI firmware sees the PXE option in the config, but it refuses to initialize the driver for the non-Microsoft adapter early enough in the boot process.
No "Press F12" Prompt Unlike traditional Dell or Lenovo machines, the Surface devices minimize user-facing prompts. When the machine fails to load the PXE stack (due to the adapter/security issue), it doesn't give a public error; it simply fails the internal boot attempt and drops back into the UEFI menu.
The Cleansing Software Factor The third-party wipe may have deleted crucial small partitions (like the System Reserved Partition or the EFI System Partition) which sometimes contain data required to properly initialize the boot process, even for external devices.

The Critical Missing Step


Since you confirmed your PXE environment works and you've tried multiple adapters, the last piece of the puzzle is the Microsoft adapter requirement.


The quickest way to rule out a driver/adapter problem is to use the official Microsoft Recovery Image (Option 2 from our last chat). This method is designed to override these network stack and adapter compatibility issues by using a known-good, trusted image that is processed directly by the secure Surface firmware.


Have you had a chance to try creating the official Surface Recovery Image USB drive? If you can get that to boot, it confirms the hardware is fine and the issue is purely a matter of the SL3's tight boot security.

Refurbished Computers Berkshire 
Data Recovery Berkshire 
View All Posts by User
Lemonde
  • Lemonde
  • 100% (Exalted)
  • Advanced Member Topic Starter
7 months ago
Yes I can boot from USB so I booted into the disk wiping Win PE and ran the install from there
Refurbished Computers Berkshire 
Data Recovery Berkshire 
View All Posts by User
sirclesadmin
7 months ago

That is a crucial piece of information and confirms a strong suspicion:


The fact that you can boot from a USB but still cannot PXE boot means the issue is not a general hardware failure, but a specific, deliberate security or firmware incompatibility related to the network boot stack.


You likely ran into the following scenario during your wipe and install:



  • USB Boot Success: This proves the core UEFI/BIOS is functioning and can read external media.

  • PXE Failure: This confirms the Surface's highly restrictive security is at play. The internal network boot stack (the PXE code loaded by the UEFI) is likely incompatible with your non-Microsoft adapter OR a required boot variable was corrupted/deleted.


Since you are a seasoned recycler and can successfully get into a Windows Preinstallation Environment (WinPE), your most effective solution is to manually rebuild the boot configuration on the internal drive to force the machine to recognize the new OS and stop trying to use PXE.



The Solution: Using DiskPart and BCDedit in WinPE


The goal is to use the Command Prompt within your existing WinPE USB to ensure the internal SSD is completely clean, correctly formatted as GPT, and has a fresh, valid EFI System Partition (ESP) where the PXE attempt can't interfere.


Step 1: Clean the Internal Drive (Data Destruction)



  1. Boot the Surface Laptop 3 into your disk wiping WinPE USB.

  2. Open Command Prompt.

  3. Run diskpart

  4. Type list disk (Identify your internal SSD, likely Disk 0, by size).

  5. Type select disk 0 (Replace 0 with your SSD number).

  6. Type clean ( This command wipes the drive completely, including all partitions and signatures).

  7. Type convert gpt (Ensures the drive is ready for UEFI boot).


Step 2: Manually Recreate the EFI Partitions


Now, we force the necessary partitions back onto the drive:



  1. Create the EFI System Partition (ESP):

    • create partition efi size=100 (Creates 100MB EFI partition)

    • format quick fs=fat32 label="System" (Formats it as FAT32)



  2. Create the Microsoft Reserved Partition (MSR): (Not always strictly needed for boot but good practice)

    • create partition msr size=16 (Creates 16MB MSR partition)



  3. Create the Primary Windows Partition:

    • create partition primary (Use the rest of the space)

    • format quick fs=ntfs label="Windows" (Format the main partition)

    • assign letter=C (Assigns the letter C: for the install)




Step 3: Install Windows



  1. Exit DiskPart: Type exit.

  2. Run Installer: Now run your install process from your WinPE environment, targeting the newly created C: (Windows) partition.


Result: By wiping the drive with clean and manually recreating the partitions from scratch (especially the EFI partition), you ensure the system is stripped of any corrupted boot configuration or persistent PXE/UEFI entries that were forcing the loop. The Windows installer should now correctly write a fresh bootloader (BCD) to the new EFI partition, allowing it to boot directly from the internal SSD.


If the PXE option still doesn't work after this clean install, the only remaining cause is the hardware whitelist for the non-Microsoft adapter, and you must use an officially sanctioned adapter to PXE boot.

IT Support Berkshire 
Buy new and refurbished computer equipment 
View All Posts by User
Similar Topics
Users browsing this topic