20.68 Ensure 'Unified Extensible Firmware Interface (UEFI) firmware must be configured and run in UEFI mode, not Legacy BIOS'

Information

This policy setting ensures that systems have Unified Extensible Firmware Interface (UEFI) firmware and is configured to run in UEFI mode, and not Legacy BIOS mode.

The STIG recommended state for this setting is: UEFI mode

UEFI provides additional security features in comparison to legacy BIOS firmware, including Secure Boot. UEFI is required to support additional security features in Windows, including Virtualization Based Security and Credential Guard.

Solution

To enable UEFI firmware to run in UEFI mode, not

Legacy BIOS

mode.

- Open the PC BIOS menu. This menu can usually be accessed by pressing a key during the bootup sequence, such as F1, F2, F12, or Esc
- OR from Windows, hold the Shift key while selecting Restart. Go to Troubleshoot > Advanced Options: UEFI Firmware Settings
- Find the

Boot Device Menu

select the command that identifies both the firmware mode and the device
- Select

UEFI

mode
- Save changes and exit. The PC will reboot

Impact:

Systems with UEFI that are operating in Legacy BIOS mode will not support Virtualization Based Security and Credential Guard.

See Also

https://workbench.cisecurity.org/benchmarks/15105

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-16

Plugin: Windows

Control ID: 4aaeb4b8e6b63a9689055f27fd5ccebf35e9fdca5ecff8079a91257f5007e43c