locked
Setting UEFI Supervisor/Admin password if HDD Encryption enabled? RRS feed

  • Question

  • Just a quick question. I have enabled BitLocker with TPM-Only protector and was just wondering if I need to set an Admin BIOS/UEFI password to prevent someone from changing the UEFI settings. I also have Secure Boot enabled as well along with the following BitLocker protection policies below.

    In my UEFI boot settings, I have Windows Boot Mannager and then my Internal HDD as the boot order.
    Boot from external media is enabled, because I tend to reinstall Windows from my Windows 10 bootable USB flash drive.


    With all these below BitLocker settings and policies, do I really need to set an Admin or Supervisor password to prevent an attacker from changing the UEFI settings in case the laptop gets stolen?

    My current BitLocker protection settings from the Windows 10 v1803 Security Baseline.

    Disable new DMA devices when this computer is locked:
    Enabled


    Allow Secure Boot for integrity validation:
    Enabled



     

    https://support.microsoft.com/en-us/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d


    Prevent installation of devices that match any of these device IDs 
    PCI\CC_0C0A


    Prevent installation of devices using drivers for these device setup classes:
    {d48179be-ec20-11d1-b6b8-00c04fa372a7}

    Friday, August 17, 2018 7:33 PM

All replies

  • Hi,

    You could set a password for UEFI to take a strong protection.

    Here is the official article description about a strong protection. 

    For more information, please refer to:BitLocker Countermeasures

    Bests,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, August 20, 2018 7:45 AM
  • I do have Secure Boot enabled. Did set a password to prevent changes to firmware. I need to have the option to boot from USB as I sometimes need to install Windows. So if I have both Secure Boot enabled with firmware password, then is it fine to have boot from USB enabled? Since my data is encrypted with BitLocker, can the attacker still see the data if Booting from External Media is enabled?
    Wednesday, August 22, 2018 5:54 AM
  • Hi AS.Bowen, 

    I would not recommend to enable boot from USB even through you have enabled secure boot. 

    Here is a thread which the user said he could boot from USB with secure boot enabled. 

    How to Boot USB Drive in Secure Boot Mode (UEFI)

    So seems that, more protection will be more safe. 

    Bitlocker is mainly used to encrypt the disk to protect the disk. So, generally speaking, if you boot from external disk, it will not have access right to read your data located in your Bitlocker enabled disk. But, you should keep a good protection on the recovery key and password.

    Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Bests,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Joy-Qiao Thursday, September 6, 2018 6:31 AM
    Thursday, September 6, 2018 6:31 AM