Secure Boot post restore

Secure Boot is a UEFI firmware security feature that ensures a computer boots using only software trusted by the manufacturer. It verifies digital signatures of bootloaders and drivers, preventing rootkits or unauthorized, malicious, or tampered software from loading before the OS.

Environment

Datto SIRIS
Datto ALTO

Overview

Secure Boot is a UEFI firmware feature that establishes a chain of trust from system firmware through the operating system boot loader. During startup, the firmware verifies each boot component against a set of trusted cryptographic certificates stored in firmware. If a component is unsigned or signed with an untrusted certificate, the boot process is halted.

Secure Boot Certificate Updates

Microsoft periodically updates Secure Boot certificates to revoke vulnerable or compromised boot components and to strengthen the Secure Boot trust model. These updates rely on Secure Boot being enabled so that new certificates can be installed and enforced by the firmware.

Microsoft details this process in the following documentation: Frequently asked questions about the Secure Boot update process (external link)

What is the impact on devices with Secure Boot disabled?
Devices with Secure Boot disabled will not receive the new Secure Boot certificates in firmware. As a result, they will remain vulnerable to boot-level malware, such as bootkits, because Secure Boot protections are not enforced.

Secure Boot and System Restore

A mismatch between the Secure Boot state of the source system and the restore target can prevent the operating system from booting. If the machine is unable to boot after a restore attempt, please attempt to disable Secure Boot on the target hardware/virtual machine (Secure boot is often enabled by default on UEFI systems).

	Need help? Submit a Kaseya Helpdesk request.
	Want to talk about it? Head over to Kaseya Community.
	Have a new feature idea? Visit the Kaseya Ideas portal.
	Provide feedback for the Documentation team.