With Protected Routerboot enabled you do not enter etherboot (aka netinstall mode) as described here:
https://help.mikrotik.com/docs/display/ ... -Etherboot
the above link only applies with protected routerboot disabled
the settings to configure are
/system routerboard settings
set protected-routerboot=enabled
set reformat-hold-button=x
set reformat-hold-button-max=y
starting with version 6.49.1 (this in only in the 6.49 line afaik, not in 6.48 and older, or v7 -yet!) you need to physically press the reset button (mode button might also work if your device has one, not sure) within 60s of issuing the 'set protected-routerboot=enabled' command
with this enabled all normal function of the reset button is disabled, no more access to caps mode, reset config, or backup bootloader(unsure on this one). You also cannot access etherboot normally. The LED behavior will be different, instead of normal blinking pattern it will come on 1s, off 1s to help you count time. you must hold the reset button somewhere between whatever you set 'reformat-hold-button' and 'reformat-hold-button-max'
i.e. if you set them to 15s and 20s respectively then you would have to hold it down for a min of 15 seconds and release before 20s has passed. at this point it will format the entire flash on the routerboard. and then it will go to etherboot for you to netinstall it
the min/max hold time is your protection against device theft. its pretty hard to brute force as it must be done manually and has potential to make stealing devices a lot harder.
edit: this only really protects against physical theft and some ransom attempts. it does not make up for someone gaining unauthorized login to your router. you still need a strong password for login and a secure firewall config