none
Hoping for a quick summary of UEFI/Legacy boot info. RRS feed

  • Question

  • We are using Win10 on our Dell models, and encrypting with Bitlocker. We found that, at least with TPM2.0, Secure Boot had to be set to YES and UEFI set in the BIOS (or Bitlocker threw errors on encryption).

    Now we are starting our Panasonics with Win10 as well. The TPM is 1.2. Do we use UEFI? Secure Boot ON or Legacy with Secure Boot OFF?

    I see there are three components to the BIOS:
    TPM version   UEFI/Legacy   Secure Boot ON/OFF

    I believe we can continue to use Legacy with Panasonics as they are 1.2 TPM.

    What I don't understand is how it all comes together. What goes with what? Win7 only needs Legacy regardless of the TPM version I believe. With Win10, we use UEFI, Secure Boot ON with TPM2.0. It's just how we chose to do it. Is this proper? Not sure. Now with Win10 and TPM1.2, we still need to encrypt.
    I am hoping for a fairly clear explanation. I've read some on UEFI and just get burnt from all the info. Can someone just briefly explain how Win7 TPM1.2 and Win10 TPM1.2 and Win10 TPM2.0 all come together as requirements for the MBR vs GPT and Bitlocker to all be correct?

    Thursday, March 22, 2018 6:14 PM

Answers

  • Here is a brief summary of what does and does not work:

    • Windows 7 supports either Legacy or UEFI + CSM (Compatibility Support Module) with Secure Boot disabled.
    • Windows 10 supports all possible combinations (i.e. Legacy + Secure Boot disabled, UEFI CSM + Secure Boot disabled, UEFI + Secure Boot enabled)
    • TPM version does not really come into play when you decide how you configure your systems.

    What it really boils down to: when you deploy Windows 10, you should always go for UEFI with Secure Boot enabled to make sure that you can make full use of Windows 10 security features and also enable pre-boot environment validation. TPM 1.2 is fully supported on Windows 10, it is, however, weaker in terms of cryptographic protection and is more susceptible to attacks. Makes sense?


    Cheers,
    Anton

    Vacuum Breather Blog | Wing Commander Saga | Twitter

    Note: Posts are provided "AS IS" without warranty of any kind. If posts are helpful please don't forget to rate them as "Helpful" or as "Answer".

    • Marked as answer by the1rickster Thursday, March 22, 2018 8:26 PM
    Thursday, March 22, 2018 8:06 PM

All replies

  • Here is a brief summary of what does and does not work:

    • Windows 7 supports either Legacy or UEFI + CSM (Compatibility Support Module) with Secure Boot disabled.
    • Windows 10 supports all possible combinations (i.e. Legacy + Secure Boot disabled, UEFI CSM + Secure Boot disabled, UEFI + Secure Boot enabled)
    • TPM version does not really come into play when you decide how you configure your systems.

    What it really boils down to: when you deploy Windows 10, you should always go for UEFI with Secure Boot enabled to make sure that you can make full use of Windows 10 security features and also enable pre-boot environment validation. TPM 1.2 is fully supported on Windows 10, it is, however, weaker in terms of cryptographic protection and is more susceptible to attacks. Makes sense?


    Cheers,
    Anton

    Vacuum Breather Blog | Wing Commander Saga | Twitter

    Note: Posts are provided "AS IS" without warranty of any kind. If posts are helpful please don't forget to rate them as "Helpful" or as "Answer".

    • Marked as answer by the1rickster Thursday, March 22, 2018 8:26 PM
    Thursday, March 22, 2018 8:06 PM
  • Thanks Anton. I was hoping to remember the scenario where Bitlocker failed encryption because of some configuration with UEFI and Secure Boot. We could only get it to work with UEFI and Sec Boot ON in Win10...TPM2.0.

    So with a TPM1.2 device, I should be able to load up Win10, UEFI and Sec Boot on as well as a pc with TPM2.0?

    Thursday, March 22, 2018 8:10 PM
  • Correct.

    Cheers,
    Anton

    Vacuum Breather Blog | Wing Commander Saga | Twitter

    Note: Posts are provided "AS IS" without warranty of any kind. If posts are helpful please don't forget to rate them as "Helpful" or as "Answer".

    Thursday, March 22, 2018 8:25 PM