Securing Windows 11 Desktop


D

duecks

Member
Local time
10:33 AM
Posts
14
OS
WIndows 11 Pro
I was watching videos on people bypassing and resetting passwords using Hirens Boot CD and a bootable usb drive.

I thought that the windows 11 requirement of TPM was supposed to prevent that. If it does not prevent it, then how do I secure my pc against these hacks?
I do have all my drives bitlocked, secure boot enabled and a password on the bios. Is there anything I am missing?

Note: I'm not computer smart, so take it easy on me...
 
Last edited:

My Computer

System One

  • OS
    WIndows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    HP
This scenario is exactly one of the reasons why BitLocker should be used to protect a system drive.

An attacker with physical access to your PC may attempt to boot off an USB instance of Windows or Linux, and mount the system drive. Because they can't retrieve the BitLocker key from TPM, your copy of Windows is unreadable. The same goes if they remove your drive and temporarily move it to another PC they control.
 

My Computer

System One

  • OS
    Windows 7
Also, the best protection against such hacks is BitLocker with a pre-boot PIN or other protection mechanisms. There is no well-publicised way around it.
 

My Computer

System One

  • OS
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
duecks said:
I was watching videos on people bypassing and resetting passwords using Hirens Boot CD and a bootable usb drive.
Click to expand...
It can only bypass an useless local account password, MSA is secure by default.
 

My Computer

System One

  • OS
    Home26H2Can
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 5 8600G (07/24)
    Motherboard
    ASROCK B650M-HDV/M.2 (07/24) BIOS 4.21 AGESA ComboAM5 1.3.0.1 (04/26)
    Memory
    2x32GB Kingston FURY DDR5 5600 MHz CL36 @5200 CL36 (07/24)
    Graphics Card(s)
    ASROCK Radeon RX 6600 Challenger D 8G @48FPS (08/24)
    Sound Card
    Creative Sound BlasterX AE-5 Plus (05/24)
    Monitor(s) Displays
    24" Philips 24M1N3200ZS/00 (05/24)
    Screen Resolution
    1920×1080@165Hz via DP1.4
    Hard Drives
    Kingston KC3000 NVMe 2TB (05/24)
    ADATA XPG GAMMIX S11 Pro 512GB (07/19)
    PSU
    Seasonic Core GM 550 Gold (04/24)
    Case
    Fractal Design Define 7 Mini with 3x Noctua NF-P14s/12@555rpm (04/24)
    Cooling
    Noctua NH-U12S with Noctua NF-P12 (04/24)
    Keyboard
    HP Pavilion Wired Keyboard 300 (07/24) + Rabalux 76017 Parker (01/24)
    Mouse
    Logitech M330 Silent Plus (01/26)
    Internet Speed
    500/100 Mbps via RouterOS (05/21) & TCP Optimizer
    Browser
    Edge, Brave for YouTube, LibreWolf for FB
    Antivirus
    NextDNS blocking 1/3 Traffic
    Other Info
    Phone: Motorola Moto G86 (02/26)
    Backup: Hasleo Backup Suite (PreOS)
    Headphones: Sennheiser RS170 (09/10)
    Chair: Huzaro Force 4.4 Grey Mesh (05/24)
    Notifier: Xiaomi Mi Band 9 Milanese (10/24)
    FlexCore USB-C 3.2 Gen 1 (M) to LAN (F) (08/25)
To lock down a windows pc, the best things to do in order are:

1.) Set a bios password so that any changes to boot media require that password. Ensure that only your main drive with windows is set to boot and nothing else.

2.) Enable bitlocker/device encryption. If you have Windows 11 pro, adjust bitlocker so that a password / pin is required to boot windows.

3.) Use a microsoft account, not a local account. This protects your data and sign in from password reset tools.


Despite all this, it is important to know that anyone with access to the computer for a long time will most likely find a way in. But this makes it much harder for them.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom Built
    CPU
    Ryzen 7 5700 X3D
    Motherboard
    MSI MPG B550 GAMING PLUS
    Memory
    64 GB DDR4 3600mhz Gskill Ripjaws V
    Graphics Card(s)
    RTX 4070 Super , 12GB VRAM Asus EVO Overclock
    Monitor(s) Displays
    Gigabyte M27Q (rev. 2.0) 2560 x 1440 @ 170hz HDR
    Hard Drives
    2TB Samsung nvme ssd
    4TB Western Digital nvme ssd
    PSU
    CORSAIR RMx SHIFT Series™ RM750x 80 PLUS Gold Fully Modular ATX Power Supply
    Case
    CORSAIR 3500X ARGB Mid-Tower ATX PC Case – Black
    Cooling
    ID-COOLING FROSTFLOW X 240 CPU Water Cooler
    Keyboard
    Logitech G213
    Mouse
    Logitech G203
    Internet Speed
    1.2gbps Fiber 😎
  • Operating System
    Chrome OS
    Computer type
    Laptop
    Manufacturer/Model
    HP Chromebook
    CPU
    Intel Pentium Quad Core
    Memory
    4GB LPDDR4
    Monitor(s) Displays
    14 Inch HD SVA anti glare micro edge display
    Hard Drives
    64 GB emmc
TairikuOkami said:
It can only bypass an useless local account password, MSA is secure by default.
Click to expand...
A specific Tool, don't remember which, in Sergei Strelec can also convert a Microsoft account to local account and then remove the password. But this is only if the hacker has stolen your laptop and has physical access to it and if the disk is unencrypted. If the disk is encrypted all they can do is wipe it and reinstall Windows. Surely, they can sell your laptop, but at least any sensitive information is not accessible with an encrypted drive. This is also a warning for the user! If you encrypt the drive and forget the password, then say goodbye to your data. There is NOTHING you can do, (unless you had connected your Microsoft account with the locked system and can unlock from there).
 
Last edited:

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2 (5699), 25H2 (8457)
    Computer type
    Laptop
    Manufacturer/Model
    Acer Extensa 5630EZ
    CPU
    Mobile DualCore Intel Core 2 Duo T7250, 2000 MHz
    Motherboard
    Acer Extensa 5630
    Memory
    4GB
    Graphics Card(s)
    Mobile Intel(R) GMA 4500M (Mobile 4 series)
    Sound Card
    Realtek ALC268 @ Intel 82801IB ICH9 - High Definition Audio Controller
    Monitor(s) Displays
    1
    Screen Resolution
    1280x800
    Hard Drives
    Samsung SSD 850 EVO 250GB SATA Device (250 GB, SATA-III)
    Internet Speed
    VDSL 50 Mbps
    Browser
    MICROSOFT EDGE
    Antivirus
    WINDOWS DEFENDER
    Other Info
    Legacy MBR installation, no TPM, no Secure Boot, no WDDM 2.0 graphics drivers, no SSE4.2, cannot get more unsupported ;) This is only my test laptop. I had installed Windows 11 here before upgrading my main PC. For my main PC I use everyday see my 2nd system specs.
  • Operating System
    Windows 11 Pro v25H2 (build 26200.8457)
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom-built PC
    CPU
    Intel Core-i7 3770 3.40GHz s1155 (3rd generation)
    Motherboard
    Asus P8H61 s1155 ATX
    Memory
    2x Kingston Hyper-X Blu 8GB DDR3-1600
    Graphics card(s)
    GIGABYTE GeForce RTX 3050 WINDFORCE OC V2 6GB (GV-N3050WF2OCV2-6GD)
    Sound Card
    Realtek HD audio (ALC887)
    Monitor(s) Displays
    Sony Bravia KDL-19L4000 19" LCD TV via VGA
    Screen Resolution
    1440x900 32-bit 60Hz
    Hard Drives
    WD Blue SA510 2.5 1000GB SSD as system disk, Western Digital Caviar Purple 4TB SATA III (WD40PURZ) as second
    PSU
    Thermaltake Litepower RGB 550W Full Wired
    Case
    SUPERCASE MIDI-TOWER
    Cooling
    Deepcool Gamma Archer CPU cooler, 1x 8cm fan at the back
    Keyboard
    Mitsumi 101-key PS/2
    Mouse
    Sunnyline OptiEye PS/2
    Internet Speed
    100Mbps
    Browser
    Microsoft Edge, Mozilla Firefox
    Antivirus
    Microsoft Windows Defender
    Other Info
    Legacy BIOS (MBR) installation, no TPM, no Secure Boot, WDDM 3.0 graphics drivers, WEI score 7.4
spapakons said:
A specific Tool, don't remember which, in Sergei Strelec can also convert a Microsoft account to local account and then remove the password. But this is only if the hacker has stolen your laptop and has physical access to it and if the disk is unencrypted.
Click to expand...
That must have been some old or vulnerable version, system files are always encrypted, even if disk is not.
But yes, Bitlocker provides an additional protection, still I would never trust a local password for safety.
TPM 2.0 Flaw (CVE-2025-2884) - This means a malicious actor with local access could extract sensitive TPM data by abusing this flaw, or potentially disrupt the security module through a denial-of-service (DoS) attack. The TPM is central to processes like system authentication, disk encryption, and credential storage—so even partial access can have severe implications for OS integrity and data privacy.
Click to expand...
 

My Computer

System One

  • OS
    Home26H2Can
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 5 8600G (07/24)
    Motherboard
    ASROCK B650M-HDV/M.2 (07/24) BIOS 4.21 AGESA ComboAM5 1.3.0.1 (04/26)
    Memory
    2x32GB Kingston FURY DDR5 5600 MHz CL36 @5200 CL36 (07/24)
    Graphics Card(s)
    ASROCK Radeon RX 6600 Challenger D 8G @48FPS (08/24)
    Sound Card
    Creative Sound BlasterX AE-5 Plus (05/24)
    Monitor(s) Displays
    24" Philips 24M1N3200ZS/00 (05/24)
    Screen Resolution
    1920×1080@165Hz via DP1.4
    Hard Drives
    Kingston KC3000 NVMe 2TB (05/24)
    ADATA XPG GAMMIX S11 Pro 512GB (07/19)
    PSU
    Seasonic Core GM 550 Gold (04/24)
    Case
    Fractal Design Define 7 Mini with 3x Noctua NF-P14s/12@555rpm (04/24)
    Cooling
    Noctua NH-U12S with Noctua NF-P12 (04/24)
    Keyboard
    HP Pavilion Wired Keyboard 300 (07/24) + Rabalux 76017 Parker (01/24)
    Mouse
    Logitech M330 Silent Plus (01/26)
    Internet Speed
    500/100 Mbps via RouterOS (05/21) & TCP Optimizer
    Browser
    Edge, Brave for YouTube, LibreWolf for FB
    Antivirus
    NextDNS blocking 1/3 Traffic
    Other Info
    Phone: Motorola Moto G86 (02/26)
    Backup: Hasleo Backup Suite (PreOS)
    Headphones: Sennheiser RS170 (09/10)
    Chair: Huzaro Force 4.4 Grey Mesh (05/24)
    Notifier: Xiaomi Mi Band 9 Milanese (10/24)
    FlexCore USB-C 3.2 Gen 1 (M) to LAN (F) (08/25)
TairikuOkami said:
That must have been some old or vulnerable version, system files are always encrypted, even if disk is not.
But yes, Bitlocker provides an additional protection, still I would never trust a local password for safety.
Click to expand...
That's is the standard method of removing a password if one of my clients forgot it. Boot with Serget Strelec WinPE and run the appropriate unlock utility. For a local account, just remove the password or change it with a new password. Obviously the old password is not required to do that. If it is a Microsoft account, convert it to local account first and then remove the password or change it. Again the original password is not required. If the drive is encrypted and requires a key to unlock, and there is no Microsoft account connected to that device to unlock it, the only solution is to kiss goodbye any data, wipe it and reinstall Windows. That's why I recommend to NEVER forget your password or avoid locking your system just in case. I understand that you prefer a laptop or tablet encrypted so nobody can access your data if stolen, but I find it a little too much to lock a desktop computer, especially if you are the only one using it at home. Yes, I could create a second user account and put a password so that my son or wife cannot access my own data, but encrypting the entire drive is too much and risky if I forget the password, so I would rather avoid it.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2 (5699), 25H2 (8457)
    Computer type
    Laptop
    Manufacturer/Model
    Acer Extensa 5630EZ
    CPU
    Mobile DualCore Intel Core 2 Duo T7250, 2000 MHz
    Motherboard
    Acer Extensa 5630
    Memory
    4GB
    Graphics Card(s)
    Mobile Intel(R) GMA 4500M (Mobile 4 series)
    Sound Card
    Realtek ALC268 @ Intel 82801IB ICH9 - High Definition Audio Controller
    Monitor(s) Displays
    1
    Screen Resolution
    1280x800
    Hard Drives
    Samsung SSD 850 EVO 250GB SATA Device (250 GB, SATA-III)
    Internet Speed
    VDSL 50 Mbps
    Browser
    MICROSOFT EDGE
    Antivirus
    WINDOWS DEFENDER
    Other Info
    Legacy MBR installation, no TPM, no Secure Boot, no WDDM 2.0 graphics drivers, no SSE4.2, cannot get more unsupported ;) This is only my test laptop. I had installed Windows 11 here before upgrading my main PC. For my main PC I use everyday see my 2nd system specs.
  • Operating System
    Windows 11 Pro v25H2 (build 26200.8457)
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom-built PC
    CPU
    Intel Core-i7 3770 3.40GHz s1155 (3rd generation)
    Motherboard
    Asus P8H61 s1155 ATX
    Memory
    2x Kingston Hyper-X Blu 8GB DDR3-1600
    Graphics card(s)
    GIGABYTE GeForce RTX 3050 WINDFORCE OC V2 6GB (GV-N3050WF2OCV2-6GD)
    Sound Card
    Realtek HD audio (ALC887)
    Monitor(s) Displays
    Sony Bravia KDL-19L4000 19" LCD TV via VGA
    Screen Resolution
    1440x900 32-bit 60Hz
    Hard Drives
    WD Blue SA510 2.5 1000GB SSD as system disk, Western Digital Caviar Purple 4TB SATA III (WD40PURZ) as second
    PSU
    Thermaltake Litepower RGB 550W Full Wired
    Case
    SUPERCASE MIDI-TOWER
    Cooling
    Deepcool Gamma Archer CPU cooler, 1x 8cm fan at the back
    Keyboard
    Mitsumi 101-key PS/2
    Mouse
    Sunnyline OptiEye PS/2
    Internet Speed
    100Mbps
    Browser
    Microsoft Edge, Mozilla Firefox
    Antivirus
    Microsoft Windows Defender
    Other Info
    Legacy BIOS (MBR) installation, no TPM, no Secure Boot, WDDM 3.0 graphics drivers, WEI score 7.4
You must log in or register to reply here.

Similar threads

Casting an iPhone to a Windows 11 Desktop
Replies
2
Views
4K
PerpetualCycle
PerpetualCycle
No AI Overview showing on Edge running Windows 11 desktop?
Replies
3
Views
3K
jvickers
jvickers
Android phone not recognised by Windows 11 desktop PC
Replies
7
Views
10K
Scott
Scott
MS Windows 11 Desktop Search (default feature)
Replies
6
Views
1K
ajaxStardust
ajaxStardust
  • Sticky
  • Article Article
WIP Windows 11 25H2+ Unattended Setup & App Integration Guide
Replies
17
Views
415
TraderGary
TraderGary

Latest Support Threads

Latest Tutorials

Back
Top Bottom