Yeah, unfortunately the default state is always to allow enrollment of keys. Think about the thousands of enterprise devices which just got a BIOS password from the IT Dept. And the only change they made to the BIOS was the PXE Boot as a first option. As long as they never disable booting from the USB devices, it will enroll the keys. HP even allows you to get to the Boot Menu and sort of a pre-BIOS menu in the newer devices still with a BIOS password and lock set up.
And I have first hand witnessed way too many to count instances where that is the case.
No matter what vendor, HP, Dell or Lenovo (the 3 main ones used in the enterprise world) allow the enrollment of keys by default, with a locked BIOS by default.
Source: I’m the sysAdmin at a R2 recycler and regularly get thousands of laptops to play with.
Hmm that’s very surprising. Secure boot setup mode is entirely just to enable or disable enrollment of keys, so being able to enroll keys with setup mode off and the bios locked is bizarre. I can say that my dell (xps 9560) does not behave that way - I have to enter bios and explicitly enable setup mode to enroll keys, and setup mode automatically switches back off once you enroll.
Yeah, unfortunately the default state is always to allow enrollment of keys. Think about the thousands of enterprise devices which just got a BIOS password from the IT Dept. And the only change they made to the BIOS was the PXE Boot as a first option. As long as they never disable booting from the USB devices, it will enroll the keys. HP even allows you to get to the Boot Menu and sort of a pre-BIOS menu in the newer devices still with a BIOS password and lock set up. And I have first hand witnessed way too many to count instances where that is the case.
No matter what vendor, HP, Dell or Lenovo (the 3 main ones used in the enterprise world) allow the enrollment of keys by default, with a locked BIOS by default.
Source: I’m the sysAdmin at a R2 recycler and regularly get thousands of laptops to play with.
Hmm that’s very surprising. Secure boot setup mode is entirely just to enable or disable enrollment of keys, so being able to enroll keys with setup mode off and the bios locked is bizarre. I can say that my dell (xps 9560) does not behave that way - I have to enter bios and explicitly enable setup mode to enroll keys, and setup mode automatically switches back off once you enroll.