2 Replies Latest reply on Oct 5, 2018 6:59 AM by georg69

    Secure Boot


      my situation :


      NUC kit 5i5ryH  with latest BIOS version 0371

      windows 10 pro 1803 fully and regularly updated and installed ith BIOS in UEFI mode only (no legacy)


      secure boot enabled in BIOS with all keys "installed" (as you can see in attachment. i installed them in "custom mode" after clering of alla values and in "not installed" status...then i switched to "standard mode")



      in W10 ,executing "system information" tool  i see "BIOS mode" as "UEFI" and "secure boot state" to "on" (as you can see in attachment)


      executing in powershell the command "Confirm-SecureBootUEFI" gives "true"


      executing Secure Boot Checkup Utility  (from Insyde Software ) i get no warnings and all seems ok (as you can see in attachment)





      ... with this last  utility i feel something is wrong: the PK (platform key) under "secure boot database contents" is empty (inside BIOS i read the PK is "installed"), while under "optimal factory restore variables" is present with  "do not trust" indication


      even under "secure boot" tab, showing "factory default" box, i get a "PKDefault" as "do not trust"


      I do not understand. where am i wrong? is my "secure boot" actually enabled  and operating?


      why the PK value is strange  using this very specialized utility?


      yes, i am a securityaholic and any advice is welcome


        • 1. Re: Secure Boot
          Al Hill

          Windows says SB is on, the NUC bios says SB is on.


          That is two against one (insyde).  I would question that utility.



          • 2. Re: Secure Boot

            your is a very good point 



            my worries come from the sight of other PC that show the PK key smooth as silk with the same Insyde utility



            for example on a dell ,i see:"PK Variable Certificate (Platform Master Key):

            X.509 Certificate: CN=Dell Inc. Platform Key" (or like the attachment  issuing from a microsoft surface)...the PK key is very very important and mine is  absent in the main section or says:"PKDefault" as "do not trust" in another section



            i'd like to understand these differences of behaviour (and possible misconfiguration from me, even if i think to have done in the right way)



            I will contact Insyde about the situation