[shawnz]

In its typical configuration, Secure Boot can't provide any anti-theft guarantees because an attacker could just replace the contents of the disk with a new Windows installation and the workstation would be usable for them.

Secure Boot as it is configured by Windows only prevents malware from inserting itself into the boot process, since all Windows installations use the same signature. Bitlocker only prevents attackers from accessing the data on the disk, not from using the workstation in general.

[andrewnicolalde]

Hmmm, is it theoretically possible to sign the Windows bootloader (?) with your own custom keys to ensure that someone couldn't just fire up a stock Windows image? Though I'm not sure what sort of management challenges that would present if Microsoft ever decided to update their bootloader.

Looking at the Microsoft documentation, doing this with SecureBoot could be pretty complicated: https://docs.microsoft.com/en-us/windows-hardware/drivers/br...

[shawnz]

I havent tested personally but this seems to suggest that you can't re-sign the bootloader: https://docs.microsoft.com/en-us/previous-versions/windows/i...

> "Windows boot components: BootMgr, WinLoad, Windows Kernel Startup. Windows boot components verify the signature on each component. Any non-trusted components will not be loaded and instead will trigger Secure Boot remediation."

Plus, you would need to add some kind of check to verify that it's actually booting your image, or else the attacker could just copy your bootloader files.

[gruez]

> In its typical configuration, Secure Boot can't provide any anti-theft guarantees because an attacker could just replace the contents of the disk with a new Windows installation and the workstation would be usable for them.

What's preventing an attacker from resetting the secureboot settings? You'd need some sort of activation scheme like on iOS.

[aesh2Xa1]

You can usually lock the whole system with a boot password. In the case where the attacker replaces the whole disk, or whole disk image with another Windows image, you can also add your own keys and sign the image or individual boot files.