Disable boot from usb

pantos21 · ‎06-20-2017

Hello,

I need to disable boot from USB. There is no option to do this in the BIOS.

BIOS Version: F.26

BIOS Settings

Password already set

Legacy Support: Enabled

Secure Boot: Disabled

IT_WinSec · ‎06-20-2017

Hello @pantos21

Welcome to the HP Support forum. Thank you for posting.

I am unable to test 100% with your PC if such an option exist in the BIOS but if there is no option to completely disable boot from USB, I recommend you the following workaround:

- create/enable password for accessing the BIOS

- create/enable password for boot-up/HDD

- encrypt your hard disk drive using full disk encryption software. Free one available in Windows 7, 8 and 10 is Bitlocker.

>> https://en.wikipedia.org/wiki/BitLocker

>> http://www.windowscentral.com/how-use-bitlocker-encryption-windows-10

Full disk encryption software will prevent any offline attacks that can occor against your PC if someone attempts to boot the PC from a USB pen drive. The encryption is the most important part because even with USB boot disabled, somebody with physical access to the computer can still attack the OS offline and can still access the data.

Your FEEDBACK is important. Use the interactive buttons below and let me know if the post helps ;
*** HP employee *** I express personal opinion only *** Joined the Community in 2013

pantos21 · ‎06-23-2017

Alreay set password for accessing BIOS. I preffered some method that doesnt required password everytime i turn on the pc.

Also bitlocker is not available on win 7 pro

IT_WinSec · ‎06-23-2017

Hello,

There are 2 reasons why one would want to disable USB boot :

1st - security reasons - someone with physical access to the PC can boot from the USB and modify the OS in a malicious way or they might access the files

2nd - usability reasons - you want to keep some USB device permanently plugged into the PC and you don't want it to cause issue during boot (some might do so)

I am not aware of any other reasons.

With regards to 1st reason - security - you cannot enfornce security without password or without encryption.

With regards to 2nd reasons - it includes 1st one - modification and lockup of the BIOS. You have already enabled Legacy boot mode and have configured your HDD to be first boot option (on top/priority). Therefore USB will not automatically boot on the PC. Manual interaction with F9 is needed. In order to prevent this interaction, you need to enforce password and encryption.

You can go to "Security" tab of the BIOS to enable the passwords

With regards to full disk encryption and BitLocker - you are correct - Bitlocker is not available in Windows 7 Pro.

I recommend you use VeraCrypt in such a case - free and open source encryption products based on the once famous TrueCrypt.

VeraCrypt is consider very secure.

Here is more info:

>> https://www.veracrypt.fr/en/Home.html

>> https://www.howtogeek.com/howto/6169/use-truecrypt-to-secure-your-data/

Hope this helps.

Your FEEDBACK is important. Use the interactive buttons below and let me know if the post helps ;
*** HP employee *** I express personal opinion only *** Joined the Community in 2013

Create an account on the HP Community to personalize your profile and ask a question