In this blog article, we want to explain why regular employees should not be able to boot their work computers from external media, even if their devices are encrypted.
Security risks, especially if the computer uses unencrypted storage
There are several security risks if an employee or other unauthorized persons can boot an alternative operating system, and the computer does not use full disk encryption (FDE). Note that FDE does not only apply to traditional hard drives but also to modern storage devices such as solid-state drives (SSDs).
If an unauthorized individual can run an alternative operating system and FDE is not used, all data on the device can be read, modified, or exfiltrated. Such scenarios may be exploited for
- bypassing security restrictions, e.g. deleting antivirus software
- installing malware
- gaining unauthorized system access and leaking sensitive data
FDE is a strongly recommended security measure to protect against such malicious activities.
Possible ways to boot another OS
Booting another operating system can be possible using the following external media:
- USB drive
- CD/DVD
- Memory Flash Cards (SD, microSD)
- Network (PXE)
Secure Boot is a protection mechanism to prevent booting untrusted operating systems (from the perspective of the computer administrator), even if booting from external media is allowed. The UEFI (formerly known as BIOS) must be protected so that Secure Boot cannot be disabled. This is typically done by setting a UEFI password. Any changes to UEFI settings, including those related to Secure Boot, require this password. This password should not be shared with regular employees. Only authorized personnel like IT administrators should know this password.
Security risks, if FDE and Secure Boot are used
Even when Secure Boot is enabled and FDE is in use, data access may still be possible. For example, the BitPixie attack demonstrates how computers secured with both Secure Boot and FDE can still be compromised.
Other security risks, if booting from external media is possible
Another reason to prevent booting from external media is theft prevention and asset protection. If a stolen laptop cannot boot from external media, especially when FDE is used, its practical usability is significantly reduced. This lowers the device’s resale value on the black market and makes it less attractive to steal.
Unfortunately, there are also cases where disloyal employees falsely report a device as lost or stolen in order to resell or misuse it for personal purposes.
UEFI password is not enough
If the UEFI boot options are restricted and password-protected, at least on Dell and HP computers, it should not be possible to boot from external media without knowing the correct admin password. However, last year we demonstrated that this kind of boot protection can be bypassed easily (SYSS-2025-059, SYSS-2025-060).
Therefore, we strongly recommend to disable booting from external media entirely. This helps avoiding IT policy violations and enhances both asset protection and theft deterrence.
A proof of concept video demonstrating a successful bypass of UEFI boot restrictions on a Dell laptop can be found on our SySS YouTube channel.