Securing Windows 10 with Secure Boot and TPM

Windows 10 is installed in over 800 million devices but a fraction of those are running with increased security offered in this operating system.

In this tutorial we will show you how to enable Secure Boot and TPM to increase the security of Windows 10.

What is Secure Boot?

Secure boot is a security standard developed by members of the PC industry to help make sure that a device boots using only software that is trusted by the Original Equipment Manufacturer (OEM).  This prevents it from starting the computer from malware, ransomware, etc.

What is a Trusted Platform Module (TPM) ?

TPM is a hardware chip that is either part of the motherboard or added on later.

Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM.

Enabling Secure Boot

Always backup your computer before making major modifications. Write down your current settings. Microsoft has some tips on enabling Secure Boot.  Each computer is different, so your screen options will vary.

  1. Enter your PC’s BIOS setup by hitting the right key during bootup, such as F1, F2, F12, ESC or Delete.
  2. Make sure your computer Boot Mode is set for UEFI, not Legacy
  3. You may need to set Windows OS Configuration – Windows 10 WHQL Support to UEFI before you can see Secure Boot – It is called CSM for some BIOSes

Continue reading “Securing Windows 10 with Secure Boot and TPM”

How to Secure Windows 10

Last Updated: 11/1/2017

Windows 10 Home

Windows 10 is the latest and greatest operating system from Microsoft.  It still need help to become more secure.

Windows 10 controlled folder access anti-ransomeware is part of the Fall Creators Update.  It works well and should be used by all Windows 10 users.

Securing the Boot up Process

Windows 10 Secure Boot prevents rootkit attacks, where malicious code attempts to tamper with Windows before it boots, before antivirus and other system defenses load. Microsoft introduced features to protect the Windows kernel and privileged drivers in previous versions, but Secure Boot enhances those measures to prevent system tampering.

If your PC is a recent one, you will have what is known as UEFI Firmware that support Secure Boot. This allows the PC to check the signature of each piece of boot software to ensure they are not compromised.  Make sure you enable this.

Secure boot is supported by Windows 8, Windows 8.1, Windows 10, Windows Server 2012, Windows Server 2012 R2

Set Windows Defender Built in Antivirus blocking to High

Windows Defender Antivirus ships with all versions of the Windows 10 operating system. Versions included with the Windows 10 Creator Update version 1703 or newer  in 2017 allow you to set the blocking level to high.  Be sure to do this.

Continue reading “How to Secure Windows 10”