Which policies may result in a device being unable to boot and what would the remedy be? #998
-
|
From reading the docs I've gathered that enabling the Mandatory VBS option in Defender and potentially allowing only "Good" drivers are the most likely culprits for boot failure. Are there any more I have missed? Additionally, if a boot failure does occur what are the most likely next steps to fix, without having to re-install? I would assume keeping safe mode enabled is one option (going against the recommendation in Attack surface reduction). What other steps can be taken? Thank you! |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 1 reply
-
|
This question also extends to policies that might get in the way of BIOS updates. I use an HP laptop and update the BIOS using the HP Support app. I'm afraid that any policies might get in the way of updating the BIOS and I do not want to find that out the hard way haha. |
Beta Was this translation helpful? Give feedback.
-
|
Apart from those you already mentioned nothing else comes to mind. Mandatory VBS or Boot start driver enforcing Good only drivers, are not applied by default so you'd need to explicitly select them to apply. Updating BIOS/UEFI works fine with the policies. Just make sure you have the BitLocker recovery info backed up via the app: https://github.com/HotCakeX/Harden-Windows-Security/wiki/BitLocker#backup-bitlocker-key-protectors |
Beta Was this translation helpful? Give feedback.
-
|
Would i be able to boot into safe mode to remove the policies if they cause a boot failure or would the only option be to reinstall? Thanks for all you answers across my numerous queries :) |
Beta Was this translation helpful? Give feedback.
-
|
Ah no problem, yw ^^ If boot failure is because of Boot Start Driver policy, you have to access the advanced startup settings from the recovery environment and then disable Early Launched Antimalware and Driver enforcement to boot. For boot failure caused by Mandatory VBS, you should be able to boot by turning off Secure Boot. Both of these needs physical access to the machine. If using Windows Hello, your credentials will be reset, you'll have to connect to the Microsoft Account to reset PIN at lock screen. |
Beta Was this translation helpful? Give feedback.
Apart from those you already mentioned nothing else comes to mind. Mandatory VBS or Boot start driver enforcing Good only drivers, are not applied by default so you'd need to explicitly select them to apply.
Updating BIOS/UEFI works fine with the policies. Just make sure you have the BitLocker recovery info backed up via the app: https://github.com/HotCakeX/Harden-Windows-Security/wiki/BitLocker#backup-bitlocker-key-protectors