A UEFI lock is a security setting implemented through the Unified Extensible Firmware Interface (UEFI) that prevents specific operating system security features, like Credential Guard, from being easily disabled by an attacker who has gained control within the operating system.
Understanding UEFI Lock
Based on the provided reference, the primary function of a UEFI lock is to enhance the persistence and security of critical OS safeguards.
- Purpose: To prevent malicious actors from bypassing security measures by simply modifying operating system configurations, such as registry keys.
- Mechanism (as described): It works in conjunction with the UEFI firmware to enforce settings. The reference explicitly states: "Use Credential Guard with an Unified Extensible Firmware Interface (UEFI) lock to prevent an attacker from disabling the operating system with a registry key change."
- Specific Application: It is noted as an option when enabling Credential Guard:
- Enable with UEFI lock: This configuration prevents an attacker from disabling Credential Guard simply by changing a registry key. The setting is secured at a lower level (firmware), making it resistant to OS-level tampering.
- Enable without UEFI lock: "Turns on Credential Guard without an Unified Extensible Firmware Interface (UEFI) lock," meaning the security feature could potentially be disabled via OS-level changes like registry modifications, making it less secure against determined attackers who breach the OS.
In essence, the UEFI lock leverages the firmware layer to create a more robust defense, ensuring that crucial security settings remain active even if an attacker gains administrative privileges within the operating system.
