none
How to configure secure boot RRS feed

  • Question

  • I want to know how to make secure boot unchangeable in BIOS. I want to make the end user to be unable to just simply disable secure boot from BIOS, causing the other security features like device guard and credential guard to be disabled. If secure boot can be simply disabled from BIOS then it is not secure enough. 

    Please let me know if you have any ideas in this regards, 

    Friday, April 22, 2016 6:30 PM

Answers

All replies

  • Enable the admin Bios password. Users will not be able to change something without it
    Friday, April 22, 2016 6:34 PM
  • Hi Pariashsh,

    would setting the BIOS password be an option for you? This would allow you to prevent changes in BIOS.

    Please also see Device Guard/Credential Guard GPOs for additional settings. The Device Guard Deployment Guide is a great resource for this: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/device-guard-deployment-guide

    I hope this helps.

    Best,
    Sebastian

    ---------------------

    Please mark as answer if my reply helped solving your issue. Thanks :-)

    Follow me on Twitter: @seklenk.

    Sunday, April 24, 2016 3:39 PM
  • Hi Sebastian,

    Thanks for the reply.

    I have already gone through device/credential guard. But there is nothing about disabling the end users to make changes to the secure boot in BIOS.

    If the end users can just simply disable the secure boot from BIOS, then device/credential guard which has been forced through GPO will be canceled. There is no point to just allow end users to be able to disable secure boot from BIOS intentionally or unintentionally.

    Apparently, the only option is the BIOS password as you said, if there is not any other options.

    regards,

    Paria


    • Edited by Pariashsh Monday, April 25, 2016 11:00 AM
    Monday, April 25, 2016 9:05 AM