Purpose:
Fundamental management-knowledge sharing for Secure Boot in Windows.
Target Audience:
To who has well understood PKI and Secure Boot.
Prerequisites:
- BIOS setup with Secure Boot options
- Secure Boot enabled with built-in Microsoft Windows keys
- How to enable and disable Secure Boot in BIOS?
- BIOS setup -> Secure Boot -> Key Management -> Secure Boot variable -> PK/KEK/db/db -> Details
1. Check Secure Boot enabling state.
- Using System Information:
-
- Press "Win + R" to open the Run dialog.
- Type "msinfo32" and press Enter to open the System Information window.
- In the System Summary, look for "Secure Boot State". It should be set to "On". This indicates that Secure Boot is enabled.
If it says "Off" or "Unsupported", then Secure Boot is not enabled.
- Using Windows PowerShell:
-
- Right-click on the Start button and select "Windows Terminal (Admin)" to open PowerShell with administrative privileges.
- Type the following command and press Enter:
- If Secure Boot is enabled, the command will return True. If it is not enabled or not supported, it will return False or an error message.
2. Check imported keys in the system.
Refer: Microsoft Ignite(Secure Boot)
- Open PowerShell as Administrator:
- Right-click on the Start button.
- Select "Windows Terminal (Admin)" or "Windows PowerShell (Admin)" from the context menu to open PowerShell with administrative privileges.
- Use the Get-SecureBootUEFI Cmdlet:
- In the PowerShell window, you can retrieve the Secure Boot keys by running the following commands for each key:
Get-SecureBootUEFI -Name PK # Platform Key Get-SecureBootUEFI -Name KEK # Key Exchange Key Get-SecureBootUEFI -Name db # Signature Database Get-SecureBootUEFI -Name dbx # Revoked Signatures Database
Comments
0 comments
Please sign in to leave a comment.