Windows 10: Secure boot: practice and experience?

Discus and support Secure boot: practice and experience? in AntiVirus, Firewalls and System Security to solve the problem; I'm running win10-1909 on a 'system build' desktop PC, meaning it's a bitsa everything, modified over time by the local computer store or me to suit... Discussion in 'AntiVirus, Firewalls and System Security' started by Davidk, Aug 12, 2020.

  1. Davidk Win User

    Secure boot: practice and experience?


    I'm running win10-1909 on a 'system build' desktop PC, meaning it's a bitsa everything, modified over time by the local computer store or me to suit various needs as they arose (eg, a replacement m/b after the old one failed, extra RAM, additional internal HDD, a LAN enabling the desktop and several laptops to access the internet modem, network attached stores, etc). The motherboard is a Gigabyte unit, 5 years old, with 1x250gb SSD, and 3x 500gb HDD installed internally (the SSD is the C drive) and I recently (June 20) upgraded from win7. The BIOS is UEFI compatible, but currently set for 'UEFI and legacy'.

    After a full scan of the PC with Defender, I noted a remark in the results about 'no secure boot' which led me to read number of articles and tutorials about secure boot. Many of the latter cited specific brands in the discussion - which doesn't apply in my case. A close friend and guru is very wary of 'secure boot' and does not use it, because he says a corruption of the boot keys means a boot failure and any of the drives data is inaccessible. On a PC where all the data is on C, a failure to boot would make it inaccessible, but that doesn't mean that it's encrypted or would be inaccessible if it was on separate drives and C was recovered.

    Contemplating a secure mode conversion, this post is soliciting advice and the experience of others re secure boot use on a number of issues I can foresee.

    1. PC's meeting MS windows 10 "certification" must be configured for secure boot, usually done by the manufacturer as part of the OS pre-installation process.
    Q: Has anyone had any issues with the boot on a new PC in this mode???
    2. Implementing secure boot uses public key crypto technology - reasonably reliable since banking and eftpos usage relies on it. A digital signature of a file is crypto derived without encrypting the source they apply to. Getting the keys for that process and keeping them secure in the BIOS would be the major issues. A UEFI BIOS supposedly has a separate key storage module: keeping various digital signature keys in that store between manufacture and use does seem to be a risk. Yet the keys have to be available whenever a secure boot is configured.
    Q: So, how are the keys delivered for a the very first secure boot configuration and use?
    3. A pre-condition of a secure mode conversion is the selection of a UEFI only BIOS mode, which makes a complete re-install of the OS ("clean" at this stage being the only option) a necessity. A review of the UEFI specs on wikipedia and general commentary on usage seems to indicate that it's unduly complicated, with most features simply unused on a PC.
    Q: Digital signatures are not related to the method of storage, so just what is so special about UEFI - as opposed to MBR - use in a PC that dictates it's use for a secure boot?
    4. Doing a secure boot implementation when a motherboard is replaced - and the OS has to be fully re-installed - would be the best time to do this.
    Q: Is just a) choosing UEFI only, and 2) selecting a secure mode boot in the BIOS (before booting from the OS installation disk or usb) all that is necessary for it to happen?
    5. General experience with secure mode. The bootkit hazard that MS outlines as the reason for secure mode has not had a lot of press;
    Q: Is secure mode as reliable as MBR methods are? Or have secure mode users had issues and had to revert to the traditional MBR means?

    :)
     
    Davidk, Aug 12, 2020
    #1
  2. Davidk Win User

    Secure boot: practice and experience?

    I'm running win10-1909 on a 'system build' desktop PC, meaning it's a bitsa everything, modified over time by the local computer store or me to suit various needs as they arose (eg, a replacement m/b after the old one failed, extra RAM, additional internal HDD, a LAN enabling the desktop and several laptops to access the internet modem, network attached stores, etc). The motherboard is a Gigabyte unit, 5 years old, with 1x250gb SSD, and 3x 500gb HDD installed internally (the SSD is the C drive) and I recently (June 20) upgraded from win7. The BIOS is UEFI compatible, but currently set for 'UEFI and legacy'.

    After a full scan of the PC with Defender, I noted a remark in the results about 'no secure boot' which led me to read number of articles and tutorials about secure boot. Many of the latter cited specific brands in the discussion - which doesn't apply in my case. A close friend and guru is very wary of 'secure boot' and does not use it, because he says a corruption of the boot keys means a boot failure and any of the drives data is inaccessible. On a PC where all the data is on C, a failure to boot would make it inaccessible, but that doesn't mean that it's encrypted or would be inaccessible if it was on separate drives and C was recovered.

    Contemplating a secure mode conversion, this post is soliciting advice and the experience of others re secure boot use on a number of issues I can foresee.

    1. PC's meeting MS windows 10 "certification" must be configured for secure boot, usually done by the manufacturer as part of the OS pre-installation process.
    Q: Has anyone had any issues with the boot on a new PC in this mode???
    2. Implementing secure boot uses public key crypto technology - reasonably reliable since banking and eftpos usage relies on it. A digital signature of a file is crypto derived without encrypting the source they apply to. Getting the keys for that process and keeping them secure in the BIOS would be the major issues. A UEFI BIOS supposedly has a separate key storage module: keeping various digital signature keys in that store between manufacture and use does seem to be a risk. Yet the keys have to be available whenever a secure boot is configured.
    Q: So, how are the keys delivered for a the very first secure boot configuration and use?
    3. A pre-condition of a secure mode conversion is the selection of a UEFI only BIOS mode, which makes a complete re-install of the OS ("clean" at this stage being the only option) a necessity. A review of the UEFI specs on wikipedia and general commentary on usage seems to indicate that it's unduly complicated, with most features simply unused on a PC.
    Q: Digital signatures are not related to the method of storage, so just what is so special about UEFI - as opposed to MBR - use in a PC that dictates it's use for a secure boot?
    4. Doing a secure boot implementation when a motherboard is replaced - and the OS has to be fully re-installed - would be the best time to do this.
    Q: Is just a) choosing UEFI only, and 2) selecting a secure mode boot in the BIOS (before booting from the OS installation disk or usb) all that is necessary for it to happen?
    5. General experience with secure mode. The bootkit hazard that MS outlines as the reason for secure mode has not had a lot of press;
    Q: Is secure mode as reliable as MBR methods are? Or have secure mode users had issues and had to revert to the traditional MBR means?
     
    Davidk, Aug 12, 2020
    #2
  3. Secure boot: practice and experience?

    I have an SI PC (Acer Predator 8th gen i5-8400/ B360 board) bought September 2018, since day 1 it has been configured UEFI + Secure Boot.
    It originally came supplied with an Intel Optane 16Gb module paired with a 1Tb Seagate Barracuda drive (spinning rust) and Windows 10 Home OEM (1903 I believe).
    Between purchase and today I have doubled the RAM (2x Completely new kits), replaced the Optane with an NVME drive to boot from, replaced the 1Tb spinner with a 500Gb SSD and added a third SSD (having removed the , to my way of thinking, totally pointless DVD drive).
    The BIOS has been updated 5 times (mostly for CPU support/ security upgrades, ME firmware updates/ mitigations), Windows has been upgraded to Pro retail and has gone from 1903 - 1909 - 2004.
    I have used the MS feature updates through Windows update and also clean installed a couple of times.
    I regularly use Macrium Reflect Free (and have since day one) to create system images and have used the Macrium boot USB from time to time.
    All these changes and updates have occurred with Secure boot active at all times, never needed to disable it, it just works invisibly with my setup.
    That is my experience with Secure boot so far.
     
    Pejole2165, Aug 12, 2020
    #3
  4. Secure boot: practice and experience?

    Jsssssssss, Aug 12, 2020
    #4
Thema:

Secure boot: practice and experience?

Loading...
  1. Secure boot: practice and experience? - Similar Threads - Secure boot practice

  2. AD Security groups best practice

    in Windows 10 Software and Apps
    AD Security groups best practice: So I'm trying to do a bit of cleanup in our org. All folders have individuals in them. I want to switch to security groups. So HR for instance. 2 HR managers have full access. But one user has modify access. So I assume I would create 1 group for full access with the 2...
  3. AD Security groups best practice

    in AntiVirus, Firewalls and System Security
    AD Security groups best practice: So I'm trying to do a bit of cleanup in our org. All folders have individuals in them. I want to switch to security groups. So HR for instance. 2 HR managers have full access. But one user has modify access. So I assume I would create 1 group for full access with the 2...
  4. AD Security groups best practice

    in Windows 10 Gaming
    AD Security groups best practice: So I'm trying to do a bit of cleanup in our org. All folders have individuals in them. I want to switch to security groups. So HR for instance. 2 HR managers have full access. But one user has modify access. So I assume I would create 1 group for full access with the 2...
  5. Still best security practice to use CTRL ALT DEL on Win10?

    in AntiVirus, Firewalls and System Security
    Still best security practice to use CTRL ALT DEL on Win10?: Does Windows 10 still recommends the use of pressing the CTRL ALT DEL before logging into Windows? Reason asking, because I remember that almost every Windows NT/2000/XP/7 machine had it for security reasons and was the recommended security policy by most enterprises and...
  6. Security practice - standard and admin - UAC

    in Windows 10 Ask Insider
    Security practice - standard and admin - UAC: Hi, It is a good security practice to have standard account as primary account and only use admin account when elevated access needed. Is this the same as when i just turn on “maximum” notifications through UAC. This means i get prompt/notification when: - Application...
  7. Secure boot: practice and experience?

    in Windows 10 Installation and Upgrade
    Secure boot: practice and experience?: I'm running win10-1909 on a 'system build' desktop PC, meaning it's a bitsa everything, modified over time by the local computer store or me to suit various needs as they arose (eg, a replacement m/b after the old one failed, extra RAM, additional internal HDD, a LAN enabling...
  8. Practical Reachers

    in Windows 10 Installation and Upgrade
    Practical Reachers: I need a security and support of my devices https://answers.microsoft.com/en-us/windows/forum/all/practical-reachers/e2cf79cb-b132-4871-a649-b9cd2edc3dd0
  9. Detailed practical step-by-step security guides for WIndows 10

    in AntiVirus, Firewalls and System Security
    Detailed practical step-by-step security guides for WIndows 10: Hi, Does someone know any other complex and well explained step-by-step with practical examples guide for Windows 10 security like this one? Harden Windows 10 - A Security Guide. How to secure Windows 10 It would be great if the guide is explained like for a...
  10. Upgrading to a Faster, More Secure Browsing Experience

    in Windows 10 News
    Upgrading to a Faster, More Secure Browsing Experience: As we shared last year, only the most recent version of Internet Explorer available for current operating systems will be supported starting January 12, 2016. The vast majority of consumer devices have updated automatically, but some commercial customers still have...