BootOptions Control

What does this control check?

The BootOptions control verifies that your computer's boot security features are properly configured. On Windows, this checks that Secure Boot is enabled. On macOS, this checks that System Integrity Protection and other boot security features are active.

Important: Boot security features protect your computer from the moment it starts up, before your operating system even loads. They prevent malicious software (including rootkits and bootkits) from loading during startup and tampering with your system at a fundamental level. Disabling these features is typically only done by advanced users for specific technical reasons, but it significantly weakens your computer's security.

Why is this important?

🛡️

Rootkit Prevention

Boot security features prevent sophisticated malware from loading before your operating system starts, where they would be nearly impossible to detect and remove.

✓

System Integrity

These features verify that only trusted, unmodified software runs during startup, ensuring your system hasn't been tampered with by attackers or malware.

🔒

Core OS Protection

Boot security protects critical system files and processes from modification, even by users with administrator privileges, preventing accidental or malicious system damage.

How to fix this

Enabling Secure Boot on Windows

Note: Enabling Secure Boot requires accessing your computer's UEFI/BIOS firmware settings. The exact steps vary by manufacturer (Dell, HP, Lenovo, etc.).

Check if Secure Boot is supported:

Press Windows + R to open Run
Type msinfo32 and press Enter
Look for "Secure Boot State" in the System Summary
If it says "Unsupported", your device doesn't support Secure Boot
If it says "Off", you need to enable it in UEFI settings

Enable Secure Boot (general steps):

Restart your computer
During startup, press the BIOS/UEFI key (usually F2, F10, F12, Del, or Esc)
Look for a Security, Boot, or Authentication menu
Find the Secure Boot option
Change it from Disabled to Enabled
Save changes and exit (usually F10 to save and exit)
Your computer will restart with Secure Boot enabled

⚠️ Important notes:

This is a technical procedure - contact IT support if you're unsure
The BIOS/UEFI key and menu layout varies by manufacturer
Some older computers don't support Secure Boot
If you dual-boot with Linux, enabling Secure Boot may cause issues
Take a photo of current BIOS settings before making changes

Restoring Boot Security on macOS

⚠️ This requires IT support assistance:

Fixing boot security issues on macOS typically requires advanced technical knowledge
The process involves booting into Recovery Mode and using Terminal commands
Incorrect changes can make your Mac unbootable
Please contact your IT support team for assistance with this control

Why boot security might be disabled:

System Integrity Protection (SIP) and secure boot settings are usually only disabled intentionally for specific development or troubleshooting purposes. Common reasons include:

Installing certain developer tools or kernel extensions
Running older software that's incompatible with security features
Troubleshooting system issues under IT guidance

In most cases, these features should be re-enabled after the specific task is complete.

For IT Support: Boot security settings are controlled via Recovery Mode. Use csrutil enable to enable SIP and check nvram boot-args for any security-disabling flags (amfi parameters, etc.).

Verifying the fix

After enabling boot security features, Citadel will automatically verify this control during its next check.

To verify Secure Boot is enabled:

Press Windows + R to open Run
Type msinfo32 and press Enter
Look for "Secure Boot State" in the System Summary
It should show "On"
Also check "BIOS Mode" - it should show "UEFI" (not "Legacy")

To verify SIP is enabled:

Open Terminal (in Applications → Utilities)
Type: csrutil status
Press Enter
It should show "System Integrity Protection status: enabled"
If it shows "disabled" or lists disabled features, contact IT support