ON SECURITY By Susan Bradley During the last few months, some chinks have appeared in Secure Boot’s armor as the result of various attacks and vulnera
[See the full post at: Is Secure Boot important for security?]
Susan Bradley Patch Lady
![]() |
There are isolated problems with current patches, but they are well-known and documented on this site. |
SIGN IN | Not a member? | REGISTER | PLUS MEMBERSHIP |
Home » Forums » Newsletter and Homepage topics » Is Secure Boot important for security?
ON SECURITY By Susan Bradley During the last few months, some chinks have appeared in Secure Boot’s armor as the result of various attacks and vulnera
[See the full post at: Is Secure Boot important for security?]
Susan Bradley Patch Lady
Susan mentions that UEFI gives some degree of security, presumably vs. Legacy boot in the BIOS. I ran into a problem with a dual-Xeon system with Windows 10 Pro. In 12/2022 I lost the ability to boot into Windows. The systrm always booted into a command line with EFI, whatever that is. The only way I could reinstall Windows 10 was by setting BIOS to Legacy/MBR and creating with Rufus a Legacy/MBR Windows installation USB stick.
While that worked fine and I have my system back with an updated Windows 10 Pro, I am wondering what would happen if I changed BIOS back to UEFI to get a more secure boot. Would I permanently lose the Windows installation?
You didn’t mention if this will work if you use third party anti-virus. I don’t think so as it mostly disables defender. Can you check and let us know? Thanks.
Update: If you use a third-party antivirus tool, you will not be able to use ASR rules as they work only with Defender. Microsoft makes it incredible difficult to implement and provides deficient instructions. This page is helpful: https://www.csoonline.com/article/3597407/how-to-use-windows-defender-attack-surface-reduction-rules.html
In my working environment, I’m not convinced that it is.
I’m just putting up a new machine, a bare-bones ASUS PN-51. Similar to an Intel NUC, one of those that has lots of stuff bundled with the motherboard, and where I specify memory and storage.
For this particular installation, I doing it as a Linux installation, and before I got into serious configuration work, I did some playing with more than one Linux distro. I had no problems installing Ubuntu 22.04, but when I tried installing Mint 21.1, I got conflicts coming from SecureBoot.
Apparently, the Mint 22.1 installer has new keys on it that are unrecognized. I guess there are ways of signing an installer, but most of the information out there is pretty cryptic, unless you’re really familiar with both boot processes and signature keys, and how they intersect in UEFI. I ended up disabling SecureBoot and Mint installs fine — and I don’t know if I’ll get around to reenabling SecureBoot or not.
I didn’t check, but I suppose that it’s possible that other boot images released since the beginning of 2023 might have similar issues, such as Ubuntu 23.04 or the latest release of Fedora Desktop. I also didn’t check with an older version of Mint, such as 21.0 or 20.3.
My sense is that if you’re in an environment where there’s reason to believe the possibility of somebody trying to boot from an unauthorized image, SecureBoot is probably something that you want. But for a one-off boot used for a system install that you’re not expecting to replace, I’m inclined to think may be more of a problem than a benefit. It may not be a huge issue if the installer you need is signed correctly and the signature is recognized, but as with my case, if a UEFI isn’t updated recently enough for the installer I want, I’m not going to take the time to try to figure out how to apply the signature myself, and it’s faster/easier to simply disable SecureBoot.
If the people who consider SecureBoot to be essential for widespread use (especially non-Windows), then it’s necessary to make sure that the signatures of new distros are implemented quickly (at least for the most common Linux distros) and/or there is usable documentation for user-level signing.
Susan,
My advice to my clients has been consistent for years. The best anti-virus/anti-malware protection is right between your ears. Use it regularly before clicking on ANYTHING.
To underscore this point, my email in the last two days has included bogus Javascript (.js) and Adobe PDF attachments. Delete and don’t look back.
Affirmative. Keeping some ‘old’ images at hand too, when needed. There are stronger distuptive forces present since the war in eastern Europe. This early morning there was a giant “glitch” in the DNS system resolving IP’s in your part of this globe.
References …. , what would you like to know? There are too many variables of security things that can go wrong, leading to too much in doubt (these days). Intel Secure Guard is not proof anymore mostly. ∅Days that are stolen and abused by crooks or darkstates. When the Secured Bootsystem or the Uefi-part of the pc will be infected there is no way to tell when it’s dirty or clean. Sleeping bot-systems are no rarety anymore. So reimaging with a clean (older) image is the only thing to be safe. Even for intelligence people or politicians when they return from being away.
This very early morning there was a major/huge DNSresolving failure (about 7 minutes) for addresses in your part. You tell me what caused it.
Is there a description of the means by which this UEFI malware would make its way onto the affected PC?
Thanks for that.
So, would disabling remote services on the PC take care of this concern? It sounds like there may be much simpler cures than Microsoft’s proposed approach. Susan talked about not downloading drivers from unofficial sources; I’m not sure how this idea comes into play in the current scenario, but if it’s a question of avoiding dubious driver downloads, then there are any number of measures that one can take to filter them out: a good AV (to screen them during downloading) and VirusTotal (to screen them after downloading) come to mind right away.
If the person is close enough to the target machine to run custom boot then they are close enough to log into uefi settings and turn off secure boot. I don’t think it’s secure at all in the sense of protecting the user. The security it protects is mircrosoft marketshare by limiting linux boots and installs. Turning it off is one of the first things I do with a new pc.
…You have a Home with bitlocker?
Hi Susan:
Just an FYI that there was a discussion about the difference between Win 10 Pro BitLocker Drive Encryption vs Win 10 Home Device Encryption in Linda2019’s June 2020 topic BitLocker Drive Encryption Change.
One of the articles I linked to in that 2020 topic refers to Win 10 Home Device Encryption as a “subset of BitLocker” but I did find one Dell support article at Automatic Windows Device Encryption or BitLocker on Dell Computers that states “BitLocker device encryption is supported on a broad range of devices, including those that meet Modern Standby standards and devices that run Windows 10 Home edition or Windows 11“, which blurs the distinction between Bitlocker Disk Encryption and Drive Encryption. I also found multiple users with a Win 10 Home OS reporting that Disk Management (diskmgmt. msc) showed that their disk partitions were already “BitLocker encrypted” when their Dell computer shipped from the factory – see Windows 10 Home BitLocker Encrypted in the Dell forum for one example.
I’m still not clear what encryption method Linda2019 is currently using on their Win 10 Home machine, but it sounds like they can run a manage-bde command from an elevated command prompt to temporarily suspend their encryption before a BIOS update.
————–
Dell Inspiron 5584 * 64-bit Win 10 Pro v22H2 build 19045.2965 * Firefox v113.0.2 * Microsoft Defender v4.18.2304.8-1.1.20300.3 * Malwarebytes Premium v4.5.29.268-1.0.2022 * Macrium Reflect Free v8.0.7279
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Welcome to our unique respite from the madness.
It's easy to post questions about Windows 11, Windows 10, Win8.1, Win7, Surface, Office, or browse through our Forums. Post anonymously or register for greater privileges. Keep it civil, please: Decorous Lounge rules strictly enforced. Questions? Contact Customer Support.
Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.
Mastodon profile for DefConPatch
Mastodon profile for AskWoody
Home • About • FAQ • Posts & Privacy • Forums • My Account
Register • Free Newsletter • Plus Membership • Gift Certificates • MS-DEFCON Alerts
Copyright ©2004-2023 by AskWoody Tech LLC. All Rights Reserved.