Recently, it was discovered that an employee was able to boot to an operating system stored on a USB drive instead of the managed Windows 11 installation. You plan on disabling USB boot in the UEFI/BIOS settings. What additional step should be taken to prevent a user from re-enabling this boot option?
The most effective way to prevent unauthorized changes to UEFI/BIOS settings is to set an administrator or supervisor password. While disabling USB boot and changing the boot order are the direct solutions to the immediate problem, these changes can be easily reversed by anyone with physical access to the machine. An administrator password for the UEFI/BIOS prevents users from accessing these settings without authentication. Secure Boot ensures the integrity of the boot loader but does not prevent changes to the boot order itself. A TPM is a hardware security chip used for cryptographic functions like storing encryption keys, but it doesn't restrict access to UEFI/BIOS settings. PXE is a method for booting from a network source, not a security setting.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a BIOS password and how does it work?
Open an interactive chat with Bash
What is the difference between Secure Boot and disabling USB boot?
Open an interactive chat with Bash
What are the implications of setting BIOS Encrypted File Storage (BEFS)?