Turn On or Off BitLocker for Operating System Drive in Windows 10  

@blink


thanks for your help. I believe im done with this and its encrypted.

@Brink


The person who helped me on the other forum with this mention something i am concerned about. Because i have no pin or password when the computer boots and it goes straight to windows 10, he tells me that a hacker or thief could access your bios if you dont put a secure password for bios. Are you familiar with this? If so, is there a reason why nothing in the guide mentions this? Because if someone follow all the steps in the tutorial, they are not safe and secure if they did not secure bios? Because nothing is mentioned about bios in the article.


I told him not long ago i got a power bank for my laptop and it ask me to update bios before use powerbank but i did not because i dont like touching those options so i did not bother with this. He said if you ever has a bios update, then you need to suspend bitlocker first before you update bios. I then told him, i never updated bios or did anytihng like this myself. I did say last year when i brought my laptop to a repair shop with a replacement battery to have him replace the old with new, the laptop didnt turn on. He checked my ssd drive in his computer and it worked but after a while, my laptop turned on. I think he might have touched the boot up or something like that or maybe bios but im not sure. But i told him i never put a password for bios or did anything like that to it.


He then tells me... your computer is not safe and not secure if bios is not secure. Are you familiar with this? He said even though you did bitlocker, if your bios is not secure, your system is not secure. He says there are things like cold boot attack.


This is what he says


Yes. Absolutely. Last year a lot of security vulnerabilities were uncovered that require firmware patches to address them - unless you're OK with them being potentially exploited. For a laptop, BIOS is the firmware. Note that exploiting these vulnerabilities is harder than accessing your files or putting malware on unattended unencrypted laptop without password, but it is still possible.


Yes. Otherwise skilled hacker can perform Cold Boot attack with a USB flash drive, by booting from it and dumping your RAM, then getting your encryption key from RAM dump. Or some malicious idiot can format your drive while the laptop is unattended, just for lulz. Or set BIOS user password (which is requested every boot) and HDD password (which is stored in HDD firmware) to make it impossible to use your laptop and access your data. BIOS is a powerful thing, you know.


I ask so i have to secure bios, he says


Thus, you don't want anyone except you to be able to boot from USB devices, and you don't want anyone else to change your BIOS settings. To prevent that, you need to adjust BIOS settings I described earlier.


This is what he tells me i need to do to secure my laptop


1. Set BIOS supervisor password so only you can change BIOS settings
2. In boot order settings, allow boot only from your internal SSD, disable boot from all other devices.
3. Lock boot order in BIOS, disable Boot menu - if these settings are present in your BIOS
Read about accessing BIOS and adjusting BIOS settings in your laptop's user manual

Do you have any opinion on this? So all of this is correct? If so, then wouldn't that mean most ppl who installed bitlocker while following the guide on this site most likely never did anything with bios or secure it? Or do most ppl secure it already when they first get the computer?

@Brink


Well isn't that the purpose of bitlocker though? Thus if someone gets access to your laptop whether its a thief or hacker, they cannot log into it without pin or password or/and the windows 10 password? Thus physical access is already assumed right for bitlocker's purpose? That is why im shocked he said this with bios.


Well he said your computer is not secure at all if you didn't do anything with bios. So that is 100 percent true then right? So basically you do the entire bitlocker thing and encrypt it, but you didn't put a bios password, you are basically at risk just like someone with no bitlocker?


Yes i know to keep passwords written down.


But how is the bios not mentioned in the bitlocker article? I mean someone would think... okay i secured my computer with bitlocker by following all these steps. But because they never touched bios... then they are at risk just as before?

@Brink


Yes that poster in another forum mentioned its to prevent someone from making changes to the bios settings. But if no password for bios, a person could make changes to the bios setting and thus get into the hard drive even with bitlocker on? I saw a short video on cold boot attack which basically is a hacker/thief opens up laptop because of no bios password and gets all the information through the RAM. Is that video then correct? Thus no bios password even with bitlocker on... any even not that smart hacker/thief can check whats inside? But that person said with no bios password, a hacker can just open up laptop do one of those things and then install a malicious usb stick or ram and then you are screwed. So all these statements are true?


Okay so you say my computer is still secure but not fully secure? So those methods that i made in bold which the poster mentions... that is possible if no bios password correct? He said if a smart thief or hacker has access to this laptop, its easy for him to hack it. But for a not that smart hacker, it isn't that hard. This is true right?


Well if i leave my computer as is now with bitlocker on but do nothing wth bios, that mean a smart hacker/thief can check my hard drive very easily right? That is what the other poster implies. But if i secure bios with a bios password, then a hacker cannot do anything to change the bios and thus my computer hard drive is safe from that. Is that true then?