Purpose:

Share fundamental management-knowledge of Secure Boot for Windows. The FAQ is for reference, will not offer other supports for others.

Audience:

• To who has well understood PKI and Secure Boot.
• The platform supports both Secure Boot and Windows.

Secure Boot:

Secure Boot is a security standard developed by members of the PC industry to help ensure that a device boots using only software that is trusted by the Original Equipment Manufacturer (OEM). When the PC starts, the firmware checks the signature of each piece of boot software, including firmware drivers (Option ROMs), EFI applications, and the operating system. If the signatures are valid, the PC boots, and the firmware gives control to the operating system.

Secure Boot is designed to protect the boot process from attacks that seek to compromise it, ensuring that only trusted software is allowed to run during boot. It's an important feature for maintaining the security of a system, especially in environments where integrity and reliability are critical.

Prerequisites:

1. BIOS setup with Secure Boot options
2. Secure Boot enabled with built-in Microsoft Windows keys
   • How to enable and disable Secure Boot in BIOS?
   • BIOS setup -> Secure Boot -> Key Management -> Secure Boot variable -> PK/KEK/db/db -> Details

Skills:

1. Check Secure Boot enabling state.

• Using System Information:

1. 1. Press "Win + R" to open the Run dialog.
   2. Type "msinfo32" and press Enter to open the System Information window.
   3. In the System Summary, look for "Secure Boot State". It should be set to "On". This indicates that Secure Boot is enabled.
      If it says "Off" or "Unsupported", then Secure Boot is not enabled.

• Using Windows PowerShell:
  • Refer: Microsoft Ignite(Secure Boot)

1. 1. Right-click on the Start button and select "Windows Terminal (Admin)" to open PowerShell with administrative privileges.
   2. Type the following command and press Enter:
   3. If Secure Boot is enabled, the command will return True. If it is not enabled or not supported, it will return False or an error message.

2. Check imported keys in the system.

Refer: Microsoft Ignite(Secure Boot)

1. Open PowerShell as Administrator:
   • Right-click on the Start button.
   • Select "Windows Terminal (Admin)" or "Windows PowerShell (Admin)" from the context menu to open PowerShell with administrative privileges.
2. Use the Get-SecureBootUEFI Cmdlet:
   • In the PowerShell window, you can retrieve the Secure Boot keys by running the following commands for each key:

• Get-SecureBootUEFI -Name PK # Platform Key Get-SecureBootUEFI -Name KEK # Key Exchange Key Get-SecureBootUEFI -Name db # Signature Database Get-SecureBootUEFI -Name dbx # Revoked Signatures Database