8/4/2020 Update: A major security hole was found in Secure Boot. A lot of software needs to be updated.

Windows 10 is installed in over 800 million devices but a fraction of those are running with increased security offered in this operating system.

In this tutorial we will show you how to enable Secure Boot and TPM to increase the security of Windows 10.

What is Secure Boot?

Secure boot is a security standard developed by members of the PC industry to help make sure that a device boots using only software that is trusted by the Original Equipment Manufacturer (OEM).  This prevents it from starting the computer from malware, ransomware, etc.

What is a Trusted Platform Module (TPM) ?

TPM is a hardware chip that is either part of the motherboard or added on later.

Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM.

Enabling Secure Boot

Always backup your computer before making major modifications. Write down your current settings. Microsoft has some tips on enabling Secure Boot.  Each computer is different, so your screen options will vary.

1. Enter your PC’s BIOS setup by hitting the right key during bootup, such as F1, F2, F12, ESC or Delete.
2. Make sure your computer Boot Mode is set for UEFI, not Legacy
3. You may need to set Windows OS Configuration – Windows 10 WHQL Support to UEFI before you can see Secure Boot – It is called CSM for some BIOSes
   

4. Look for an option called Secure Boot – In MSI motherboards, it is located in Settings\Advanced\Windows OS Configuration Secure Boot

Set Secure Boot Mode – Custom

Select Key Management

Set Provision Factory Default Keys to Enabled

The Intel GOP driver was then installed.

After it is enabled, the Secure Boot Variable fields will get set and now you can go to the previous screen and actually Enable Secure Boot!

Compatibility Issues with Secure Boot

Some drivers will not install correctly when you are running with Secure Boot enabled.  Temporarily turn it off, install the driver, then re-enable.

MAKE SURE the driver is from a trustworthy source!

Make sure you have updated the TPM chip to the latest version to avoid TPM-FAIL. This primarily affects TPM modules with STMicroelectronics chips and Intel Platform Trust Technology (PTT). Infineon Chips are fine.

Enabling a TPM in Windows 10

Some PCs and motherboards come with TPM already installed.  In most cases, you need to figure out if your motherboard has a socket for a TPM. These are specific to hardware, you cannot put a MSI TPM board into a Asus motherboard.  If so buy one, turn off your PC, and install it.  Try to buy the TPM directly from the manufacturer, not from a random seller on Amazon or eBay.  Laughingly, our TPM board was made in China.  It could have been hacked during assembly! (So much for true security)

1. Enter your PC’s BIOS setup by hitting the right key during bootup, such as F1, F2, F12, ESC or Delete.

2. Look for an option called Trusted Computing- In MSI motherboards, it is located in Settings\Security\Trusted Computing

Set Security Device Support to Enabled – Set Device Select to Auto

Save the settings and restart your computer.  Re-Enter your PC’s BIOS select the same option

You should see additional options now that the TPM was found.

Restart the PC and enter Windows.  If the installation was successful, you should see these additional notes in the Windows Security – Device Security Screen.

Congratulations!

Windows 10 is the latest and greatest operating system from Microsoft.  It still need help to become more secure.

Windows 10 controlled folder access anti-ransomeware is part of the Fall Creators Update.  It works well and should be used by all Windows 10 users.

Securing the Boot up Process

Windows 10 Secure Boot prevents rootkit attacks, where malicious code attempts to tamper with Windows before it boots, before antivirus and other system defenses load. Microsoft introduced features to protect the Windows kernel and privileged drivers in previous versions, but Secure Boot enhances those measures to prevent system tampering.

If your PC is a recent one, you will have what is known as UEFI Firmware that support Secure Boot. This allows the PC to check the signature of each piece of boot software to ensure they are not compromised.  Make sure you enable this.

Secure boot is supported by Windows 8, Windows 8.1, Windows 10, Windows Server 2012, Windows Server 2012 R2

Set Windows Defender Built in Antivirus blocking to High

Windows Defender Antivirus ships with all versions of the Windows 10 operating system. Versions included with the Windows 10 Creator Update version 1703 or newer  in 2017 allow you to set the blocking level to high.  Be sure to do this.

Windows 10 Wi-Fi Sense

Windows 10 will by default, share your Wi-Fi network password with any contacts you may have listed in Outlook and Skype, and with your approval, your Facebook friends. This is intended to solve the give your friends access to your home Wi-Fi problem. The problem is, it can lead to compromising your Wi-Fi password.

After the Windows 10 upgrade is complete, change the privacy settings in Windows to disable Wi-Fi Sense sharing.

• Open Start Menu
• Select Settings
• Select Network & Internet
• Select Wi-Fi
• Scroll down
• Select Manage Wi-Fi Settings

To make your WiFi Network name more secure you should also add “_nomap_optout” to the end of it. IE (SSID: wifibox_nomap_optout) This prevents Windows 10 for sharing it and Google from indexing it.

Windows 10 Enterprise

Window’s 10 has an excellent featured called Device Guard that introduces whitelisting of programs to the operating system. Programs aren’t allowed to run unless they are specifically determined to be safe, by checking the file’s cryptographic signature. Device Guard relies on Microsoft’s Hyper-V virtualization technology to store its whitelists in a shielded virtual machine. It is only available for systems capable of hardware CPU virtualization and I/O virtualization. Device Guard also relies on the on-board TPM chip and UEFI Secure Boot.

Windows 10 privacy

Windows 10 in some ways, has rolled back privacy. Microsoft has built into the operating system more ways to know what you are doing.  There are a boatload of 3rd party program that help you regain privacy. Some even cause unwated programs to be installed.  Check out this Review

Do you have any Windows 10 security tips?