How to Enable or Disable Secure Boot in UEFI
(replaces BIOS) has a firmware validation process, called secure boot
, which is defined in Chapter 27 of the UEFI 2.3.1 specification. Secure boot defines how platform firmware manages security certificates, validation of firmware, and a definition of the interface (protocol) between firmware and the operating system. Secure boot prevents “unauthorized” operating systems and software from loading during the startup process.
For more information about secure boot, see:
- UEFI allows firmware to implement a security policy
- Secure boot is a UEFI protocol not a Windows 8 feature
- UEFI secure boot is part of Windows 8 secured boot architecture
- Windows 8 utilizes secure boot to ensure that the pre-OS environment is secure
- Secure boot doesn’t “lock out” operating system loaders, but is a policy that allows firmware to validate authenticity of components
- OEMs have the ability to customize their firmware to meet the needs of their customers by customizing the level of certificate and policy management on their platform
- Microsoft does not mandate or control the settings on PC firmware that control or enable secured boot from any operating system other than Windows
This tutorial will show you how to enable or disable secure boot
in your PC's UEFI
Any PC with a Windows 8 logo sticker has secure boot enabled by default. Secure boot can make Windows 8 very resistant to low-level malware such as rootkits.
If you have secure boot enabled, you may sometimes need to disable secure boot first before being able to boot from a USB flash drive depending on your UEFI firmware settings.
If you would like to post screenshots of your motherboard's secure boot settings, then please do. Here are some others posted so far:
Arm based Windows RT PCs and devices will have a locked boot loader, so you will not be able to disabled secure boot on them.
Do not enable secure boot with Windows 7, Vista, or XP installed. If you do, these OSs will not boot until secure boot is disabled.
EXAMPLE: "SecureBoot isn't configured correctly" watermark in Windows 8.1
You will see this watermark on the bottom right corner of your desktop if you have Windows 8.1 installed with UEFI and secure boot is not configured correctly even when enabled. To remove this watermark, you will just need to enable and configure secure boot correctly.
Sometimes the watermark doesn't go away even if you correct the settings in UEFI/BIOS or your BIOS doesn't support this feature at all.
Microsoft has acknowledged this issue and released a hotfix KB2902864
to solve this problem. Once you install this hotfix, it'll remove the annoying watermark from your Windows 8.1 desktop.
Windows 8.1 users who have the "SecureBoot isn't configured correctly" watermark on the desktop, can download this hotfix from the following links:
Update removes the "Windows 8.1 SecureBoot isn't configured correctly" watermark in Windows 8.1 and Windows Server 2012 R2
Enable or Disable Secure Boot on ASRock Motherboards
This steps below are for how to enable or disable secure boot on an ASRock X79 Extreme11 UEFI motherboard.
These steps will vary depending on what brand and model number your PC or UEFI motherboard is, so please read it's manual to compare with the steps below for how to do so with your specific PC and motherboard.
1. Do step 2 or 3 below depending on how you would like to boot to the UEFI firmware settings.
2. Boot to UEFI Firmware Settings in Windows 8/8.1 "Advanced Options" UI
3. Boot to UEFI Firmware Settings at Boot
NOTE: This step can be used with any 32-bit or 64-bit Windows installed.
A) During the initial stages at boot, press the DELETE key to enter UEFI firmware settings, and go to step 4 below.
NOTE: Your PC may use another key to press instead, so be sure to read your PC's manual and/or the boot screen to see what key to press.
4. In the motherboard's UEFI firmware settings, click/tap on the Security menu, select the Secure Boot option, and click/tap/press Enter to enable or disable it. (see screenshots below)
5. If you enabled secure boot, then click/tap on the "Install default Secure Boot keys" option. (see screenshot below)
NOTE: This is to configure secure boot.
A) Click/tap on Yes to approve. (see screenshot below)
B) Secure boot has now been enabled and configured. (see screenshot below)
8. Click/tap on the Exit menu, and click/tap on Save Changes and Exit (reboot). (see screenshot below)
NOTE: You can usually also press the F10 to save changes and exit.
9. The computer will now restart to startup Windows.
Enable or Disable Secure Boot on Acer PCs
Enable or Disable Secure Boot on HP PCs