Why should Secure Boot be used?

Thank you for your reply!

Your intellectual curiosity is commendable!

To ​​put it simply, secure boot is used when you load the system from BIOS. During this process, the system (a collection of various software programs and services) starts to load. Secure boot protects your device from loading malware and malicious services during this loading process, effectively preventing your computer from being attacked by these malicious softwares and services when it starts. Your personal data files.

Thank you for your patience and support! 

Best Regards,

Yang.Z - MSFT | Microsoft Community Support Specialist

Sir, thanks for the reply, but I still have a doubt.

I want to know, like when we encrypt BitLocker, it's actually used when someone steals an HDD or SSD and tries to access data by inserting it into their computer or laptop, but they can't open my data without the BitLocker decryption key. So my question is, where and why do we use Secure Boot? Like I just gave you an example of where BitLocker is actually used, similarly I want to know where Secure Boot is used.

Hi, Jitendar Nitham!

Thanks for your reply!

I will answer your questions one by one.

• Secure Boot in Actual Scenarios

We are only answering this question for individual users. Secure boot can help prevent malware from modifying the operating system during the boot process, protecting the user's personal data and privacy.

• Use Secure Boot

There are several benefits to using Secure Boot, especially when it comes to protecting your computer from malware and unauthorized OS boots. Here are a few reasons why you should consider using Secure Boot:

1. Enhanced Security: Secure Boot ensures that your computer only loads verified software when it boots. This means that any code that runs during the boot process, including the OS and boot loader, must have a valid digital signature issued by the device manufacturer or OS provider.
2. Protection against Rootkits: Rootkits are malware that can load and hide themselves before the OS boots, and they can be used to take control of your computer. Secure Boot helps prevent this type of malware from running at boot time.
3. System Integrity Protection: Secure Boot helps protect the OS from unauthorized modifications, ensuring the integrity and reliability of the system.
4. Support for TPM (Trusted Platform Module): Secure Boot is often used with TPM, which can store encryption keys and other security-related information, further protecting your computer from unauthorized access.

Although Secure Boot provides many security benefits, there are situations where you may want to disable it, such as installing a custom OS or using unsigned drivers. In these cases, you need to weigh the security benefits of Secure Boot against the need for system flexibility. However, general users do not have such advanced development requirements, so secure boot does not need to be disabled.

• What is the impact of enabling or disabling Secure Boot on your system?

When deciding whether to enable or disable Secure Boot, you should make a choice based on your needs, the environment in which your system will be used, and your security requirements. If you are in a highly security-sensitive environment or your system is used in a production environment, then enabling Secure Boot is usually a better choice. If you need to install a custom operating system or use unsigned third-party drivers, then you may want to disable Secure Boot.

• When Secure Boot is on and off

Maybe what I said above was a bit long-winded and contained some repetitive content, so I will briefly list a few points below.

When Secure Boot is turned on:

1. Boot verification
2. Load only trusted software
3. Enhanced security
4. May affect custom operating systems and drivers

When secure boot is off:

1. No boot verification
2. Increased system flexibility
3. Reduced security
4. Suitable for advanced users and specific scenarios

I hope the above information can provide you with some ideas and thoughts.

Thank you for your patience and support!

Best regards,

Yang

Hi Yang.Z,

Thank you for your explanation of Secure Boot. I appreciate the overview of how it functions to enhance security by ensuring that only trusted software loads during startup.

However, I would like to delve deeper into the practical aspects of Secure Boot:

1. Where is Secure Boot used in practical scenarios?
2. Why should I consider using Secure Boot?
3. How does Secure Boot affect the system when enabled or disabled?
4. What exactly happens when Secure Boot is turned on and when it's turned off?

Could you provide more detailed insights into these aspects? Understanding these practical implications would help me grasp the full scope and benefits of Secure Boot.

Thank you once again for your assistance. I look forward to your response.

Best regards,

Jitendar Nitham

Hi, Jitendar Nitham!

Welcome to the Microsoft community!

I understand that you want to know why you should use Secure Boot.

Secure boot is a security standard developed by members of the PC industry to help make sure that a device boots using only software that is trusted by the Original Equipment Manufacturer (OEM). When the PC starts, the firmware checks the signature of each piece of boot software, including UEFI firmware drivers (also known as Option ROMs), EFI applications, and the operating system. If the signatures are valid, the PC boots, and the firmware gives control to the operating system.

In short, Secure Boot is an important security feature designed to prevent malware from loading when the PC starts (boots).

If you need more information, you can refer to Microsoft's official documentation, here is the document link:

Secure boot | Microsoft Learn

If you have any other questions, please feel free to ask!

Thank you for your support!

Best regards,

Yang.Z - MSFT | Microsoft Community Support Specialist