SEDutil works with Windows 11

[ChubbyAnt]

TLDR -> SEDutil works fine with Windows 11 if the PC is secure boot capable and you have secure boot disabled.

I thought that Windows 11 would not work with SEDutil due to the "secure boot requirement." This is not the case.

It turns out that to install Windows 11 the PC needs to be "secure boot capable" - but, secure boot does not need to be enabled to install Windows 11.

[love2scoot]

This is great news! I haven't walked through this yet, is there any requirement for a custom Win11 installer (RUFUS) or can a vanilla Win11 ISO be used on a machine with secure boot simply turned off?

[ChubbyAnt]

I yolod the Windows 11 upgrade from Windows 10 and it just worked. I have not yet tried a clean install yet.

[lcizzle]

Sorry to drag this up again. I don't know all the details but why can't the PBA use one of the bazillion UEFI Shims out there?

Ventroy for example supports UEFI. Just have to import the key first boot and PBA works through this with Secure Boot on. It looks like there isn't a technical hurdle in the way since the PBA and Rescue but function perfectly with secure boot on through a 3rd party shim.

I wouldn't really question this kind of thing but some of the apps I use actually require Secure Boot on to function.

OpenSource POC here https://github.com/ValdikSS/Super-UEFIinSecureBoot-Disk

Microsoft also provides UEFI signing to projects.

[lcizzle]

Dang i'm stupid. I can just do the whole seutp and not install the PBA. Then run the PBA image from Ventroy/USB and unlock the drive that way with secure boot enabled. Probably safer that way as well since there won't be any PBA attack vector on the system to try and brute force.

[Blacklands]

Just one comment: One advantage of having a PBA on the drive's Shadow MBR is that the PBA is in a place that is read-only (enforced by the drive itself). So someone can't just come along and modify it. And you're automatically carrying it with you with the drive, nothing else needed. (Not that there aren't many other attack vectors, of course.)

But yeah, Secure Boot is better to have since it protects a bunch more parts of the whole chain, right? It would be neat if some sedutil fork got their PBA signed so it would just work with Secure Boot...