UEFI Secure Boot questions


  1. Posts : 812
    Win10
       #1

    UEFI Secure Boot questions


    My laptop has Windows 10 with Secure Boot enabled in my UEFI firmware setting and my question is, can Secure Boot still protect booting from a malicious OS or tool (from a bootable USB stick) even when using the F12 Boot Menu Options prompt?

    I have a Dell laptop, which uses the F12 key to bring up the Boot Menu Options.

    BitLocker is also enabled.

    Another question would be, is that I reinstall Windows 10 OS from time to time and I plug in my USB bootable Windows 10 flash drive, and how come Secure Boot will not react to this? It should detect that I am booting another Operating System. Am I correct?

    With those questions being asked above, I did set a password for the UEFI so nobody would change the firmware settings.
      My Computer


  2. Posts : 5,478
    2004
       #2

    Bitlocker will detect if you boot from USB (or change boot order or any other firmware settings) and will not unlock the C drive. In this case your data is safe (assuming your bitlocker recovery key is private) but it would not prevent someone wiping the disk and installing a new OS.

    Secure boot will boot if the loader etc is signed with a Microsoft key. In the case of Windows USB (or a Macrium rescue USB) they are (right click and look at properties of ~\bootmge.efi and ~\efi\boot\bootx64.efi on your USB). If they aren't signed, as in the case of some, but not all, Linux install ISOs, you need to disable secure boot.

    This is quite interesting on the subject : http://www.rodsbooks.com/efi-bootloa...ecureboot.html

    However, to repeat, even if you boot from Windows install (or other) USB, whether with secure boot on or off, bitlocker will not unlock the system drive so your data is safe.
      My Computer


  3. Posts : 812
    Win10
    Thread Starter
       #3

    In other words, will Secure Boot or BitLocker work in protecting the boot loader only from booting the laptop from a Shutdown or a Restart? Or is it effective as well when booting from the F12 Boot Menu selection prompt?
      My Computer


  4. Posts : 668
    Win 10 pro
       #4

    No, secure boot and bitLoker will not stop you to replace, e.g., the current OS with anothe one, but in this case bitlocker will prevent any data to be readable and the only action possible will be to completely replace the in place OS with another one, but obviously that would be quite evident.
    To stop the "F12" as you say you can set a "bios/uefi" password; if your goal is to protect your data (i.e. if laptop is stolen) full disk encription with bitlocker would be more than enough.

    P.S. as lx already told you, I see.
      My Computer


  5. Posts : 5,478
    2004
       #5

    It is effective in either case. You can't access your C volume.

    Try it and then you'll be sure. Boot from Windows install USB, press shift+11 to get a command prompt and see if you can see anything on the original "C". You will not be able to - the only way you can is to type manage-bde -unlock and type in the 25 long recovery key.

    I think you have set it up right - just make sure you take the same care of your backups. There is no point encrypting your laptop and keeping a backup drive with plain unencrypted Macrium (or whatever) images in the same bag.
      My Computer


  6. Posts : 812
    Win10
    Thread Starter
       #6

    Ok, now this is very weird...I did a test by turning OFF Secure Boot in the UEFI and did a reboot. No BitLocker Recovery Key Lockout prompt...This worries me now...Despite the settings in my image.

    As far as I know, turning OFF Secure Boot should prompt me for the BitLocker Recovery Key.
    Attached Thumbnails Attached Thumbnails UEFI Secure Boot questions-capture.png   UEFI Secure Boot questions-gpo.png  
      My Computer


  7. Posts : 812
    Win10
    Thread Starter
       #7

    Now, I am trying to avoid using a BIOS/Firmware password because I don't want to remember another password.

    So, I was going to test a scenario were an attacker would be able to gain access to the UEFI without a password and turning OFF Secure Boot, the attacker will or should receive a BitLocker Recovery prompt.

    If the attacker will receive the BitLocker Recovery prompt by turning OFF Secure Boot, then there is no need to set a firmware or UEFI password in order to prevent changes to the settings like Secure Boot.
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 09:16.
Find Us




Windows 10 Forums