Secure Boot - Enable or Disable in UEFI

How to Enable or Disable Secure Boot in UEFI

UEFI (replaces BIOS) has a firmware validation process, called secure boot, which is defined in Chapter 27 of the UEFI 2.3.1 specification. Secure boot defines how platform firmware manages security certificates, validation of firmware, and a definition of the interface (protocol) between firmware and the operating system. Secure boot prevents “unauthorized” operating systems and software from loading during the startup process.

Quick summary

  • UEFI allows firmware to implement a security policy
  • Secure boot is a UEFI protocol not a Windows 8 feature
  • UEFI secure boot is part of Windows 8 secured boot architecture
  • Windows 8 utilizes secure boot to ensure that the pre-OS environment is secure
  • Secure boot doesn’t “lock out” operating system loaders, but is a policy that allows firmware to validate authenticity of components
  • OEMs have the ability to customize their firmware to meet the needs of their customers by customizing the level of certificate and policy management on their platform
  • Microsoft does not mandate or control the settings on PC firmware that control or enable secured boot from any operating system other than Windows

For more information about secure boot, see:



This tutorial will show you how to enable or disable secure boot in your PC's UEFI settings.

Any PC with a Windows 8 logo sticker has secure boot enabled by default. Secure boot can make Windows 8 very resistant to low-level malware such as rootkits.

If you have secure boot enabled, you may sometimes need to disable secure boot first before being able to boot from a USB flash drive depending on your UEFI firmware settings.


If you would like to post screenshots of your motherboard's secure boot settings, then please do. Here are some others posted so far:


warning   Warning
Arm based Windows RT PCs and devices will have a locked boot loader, so you will not be able to disabled secure boot on them.

If you have a Windows 8.1 device that has the device encryption feature turned on and disable secure boot, then you may not be able to access the data on the disk until you enable secure boot again.

Do not enable secure boot with Windows 7, Vista, or XP installed. If you do, these OSs will not boot until secure boot is disabled.


EXAMPLE: "SecureBoot isn't configured correctly" watermark in Windows 8.1

SecureBoot_isn't_configured_correctly_watermark.jpg

You will see this watermark on the bottom right corner of your desktop if you have Windows 8.1 installed with UEFI and secure boot is not configured correctly even when enabled. To remove this watermark, you will just need to enable and configure secure boot correctly.

Sometimes the watermark doesn't go away even if you correct the settings in UEFI/BIOS or your BIOS doesn't support this feature at all.

Microsoft has acknowledged this issue and released a hotfix KB2902864 to solve this problem. Once you install this hotfix, it'll remove the annoying watermark from your Windows 8.1 desktop.

Windows 8.1 users who have the "SecureBoot isn't configured correctly" watermark on the desktop, can download this hotfix from the following links:

Update removes the "Windows 8.1 SecureBoot isn't configured correctly" watermark in Windows 8.1 and Windows Server 2012 R2






OPTION ONE

Enable or Disable Secure Boot on ASRock Motherboards



This steps below are for how to enable or disable secure boot on an ASRock X79 Extreme11 UEFI motherboard.

These steps will vary depending on what brand and model number your PC or UEFI motherboard is, so please read it's manual to compare with the steps below for how to do so with your specific PC and motherboard.


1. Do step 2 or 3 below depending on how you would like to boot to the UEFI firmware settings.

2. Boot to UEFI Firmware Settings in Windows 8/8.1 "Advanced Options" UI

A) Boot to the UEFI Firmware Settings, then go to step 4 below. (see screenshot below)

Advanced-options.jpg

3. Boot to UEFI Firmware Settings at Boot
NOTE: This step can be used with any 32-bit or 64-bit Windows installed.

A) During the initial stages at boot, press the DELETE key to enter UEFI firmware settings, and go to step 4 below.
NOTE: Your PC may use another key to press instead, so be sure to read your PC's manual and/or the boot screen to see what key to press.

4. In the motherboard's UEFI firmware settings, click/tap on the Security menu, select the Secure Boot option, and click/tap/press Enter to enable or disable it. (see screenshots below)


Asrock_X79_Extreme_11_Secure-Boot-1.jpg


5. If you enabled secure boot, then click/tap on the "Install default Secure Boot keys" option. (see screenshot below)
NOTE: This is to configure secure boot.


Asrock_X79_Extreme_11_Secure-Boot-2.jpg




A) Click/tap on Yes to approve. (see screenshot below)


Asrock_X79_Extreme_11_Secure-Boot-3.jpg


B) Secure boot has now been enabled and configured. (see screenshot below)

Secure_Boot-1.jpg

8. Click/tap on the Exit menu, and click/tap on Save Changes and Exit (reboot). (see screenshot below)
NOTE: You can usually also press the F10 to save changes and exit.


Secure_Boot-2.jpg

9. The computer will now restart to startup Windows.






OPTION TWO

Enable or Disable Secure Boot on Acer PCs



1. See: How to Enable or Disable Secure Boot

[video=youtube;5nG4zMdrHKs]






OPTION THREE

Enable or Disable Secure Boot on HP PCs



1. See: Secure Boot (Windows 8) | HP® Support


c03980379.jpg



That's it,
Shawn


 

Attachments

  • Uefi_logo.png
    Uefi_logo.png
    6.4 KB · Views: 533
Last edited by a moderator:
Please feel free to post screenshots of these UEFI firmware settings for your brand and model of PC or motherboard to help others. :)
 
Apparently this does not work on all systems.

I have tried this with UEFI enabled and with UEFI disabled and booting from Legacy Bios mode. I get stuck in and endless loop at the Advanced Options screen. When I click " Uefi Firmware Settings" I get a screen that says Reboot to change Firmware Settings- and when i hit it's restart button, it brings me back to my normal boot options prompt, which of course only gives me the same options i always have to go back to the system recovery options. The loop starts over. I never see any page that actually has firmware settings i can change. On hitting the Restart button Delete doesn't do anything. I have looked through my Maintenance and Service Guide and it does not even mention UEFI, only the options for Legacy Bios mode.

I have read that we should be able to with UEFI, disable settings, even change or add our own secure boot keys or even delete Microsoft's key if needed from such a settings page. Uefi is supposed to have way more flexibility than Legacy Bios. sadly, i cannot access this on my new HP Pavilion G7. Anyone else have this problem or a workaround for it?

I Can disable Secure Boot in Legacy Bios Settings but only by enabling Legacy Bios. ( I can access the Legacy Bios settings to switch manually between using Legacy Mode and UEFI's mode with Secure Boot - in other words.. what I'm calling Legacy Bios Settings, looks exactly like normal Legacy Bios. If I try to disable Secure Boot in this manner, Legacy Bios gets enabled. If I try to enable Legacy Bios, Secure Boot gets disabled. It really acts as a toggle switch. ( I understand this is not a true Legacy Bios but a legacy Bios comparability layer running within UEFI)

I was hoping I could keep UEFI Mode enabled and through the UEFI Firmware Settings, Only disable Secure Boot leaving UEFI intact but I never see any page similar to the above. I wanted to do this because i am trying to get other operating systems installed for dual boot with Windows 8 and i wanted them to still run under UEFI and not have to take a step backward and use Legacy bios - something I did not want to do. I thought if i could leave Uefi intact and only disable Secure Boot via the Firmware Settings, it would help me with these installs. I have UEFI bootloaders that should let UEFI see and install these OS's yet something still is keeping them from installing - I assume that something to be Secure Boot.
 
Hello Dark Rider,

Yeah, unfortunately each manufacturer may have their own way of doing this. The tutorial is more of a guide to use with your manual to help on how to do it.

When you restart after clicking on the "UEFI Firmware Settings" option, are you able to quickly press esc and then F10 from page 78 of your HP Pavillion G7-2251dx PC's manual below?

Your manual is pretty lacking (none) in any details for UEFI. I couldn't find anything either in it.

Manual.jpg
 
Yes, I can hit Esc and then F10 which only brings me to my normal looking Legacy bios settings. They are no different than if I go into bios settings at any other time. It's just the same bios we are all used to, not a special UEFI Firmware Settings page.

Edit:

I have contacted HP about this issue. Seems all non ARM Pc's are required by Microsoft's hardware certification to allow the user the ability to disable Secure Boot. HP may be in breach of contract if they are not allowing this on purpose. ( HP is known for not giving full access to bios settings) Info here: If I buy a computer with Windows 8 and Secure Boot, will I still be able to install Linux? - Super User AND Here: Windows Hardware Certification Requirements for Client and Server Systems See sections 14, 17 and 18.
 
Last edited:
Hi Dark Rider,

I was wondering what you'd heard from HP on this issue. I've been waiting to attempt to make my Win 8 HPdv7 a dual-boot Win7/8 box b/c Win8 has been such a nightmare in terms of updates breaking things, loss of functionality, etc. Have you made any headway?

Thanks so much!
 
I actually did make some headway. HP over the course of the past few weeks sent out multiple Bios upgrades. I of course used the HP Support Assistant to download and install every one of them and even had them all verified as updating successful. Seems they are still finding and fixing bugs with this system and UEFI bios. But the updates didn't work right for everyone even though they were verified. To give me the ability to disable Secure Boot, I had to roll back to an earlier bios version and reinstall the updates over again. If your lucky, this will catch and start working correctly. ( it also helps to download and initialize these installs from Legacy Bios Mode and not when UEFI mode is running ( using HP Support Assistant))

On top of that HP makes things very confusing because the UEFI Firmware Settings page is exactly the same as the Legacy Bios page. There is nothing you will see that's any different - the only thing you will notice is some functionality change. Now, you can disable Secure Boot while still using UEFI and it will not switch to Legacy Bios mode by default. This way you are still in UEFI mode with Secure Boot disabled.

Hope this helps. HP still does not allow the correct functionality of being able to delete or add your own Secure Boot Keys as is required by Microsoft in the "Windows Hardware Certification Requirements for Client and Server Systems" as mentioned above. Hopefully they will have a bios update to fix this oversight soon.

BTW, Here is a closer look at UEFI. UEFI has many great features but it's buggy as hell and lots of those features (even without Secure Boot enabled) can give more problems than it's worth. The code is buggy and there are no good standards to help fix these problems as of yet. EFI and Linux: the future is here, and it's awful - Matthew Garrett - YouTube The first half of this tells you the benefits of UEFI and the last tell of it's nightmares. It's clearly not ready as an IO platform yet and Microsoft was dead wrong to insist on OEM's using it.
 
Last edited:
Thanks so much, Dark Rider!! I'm still very nervous about trying to do this, but it's impossible not to have a fully functional box for any longer. :)
 
Using an ASUS P8Z77-V Pro motherboard, it's worded slightly differently
1) In advanced mode after hitting the delete key to get into the UEFI settings, click the boot tab
130209143533.png

2) Scroll down to "secure boot"
130209143548.png

3) Click OS type, and then click Other OS, I am presuming this is another way of saying Secure boot disabled, looking at the description on the right
130209143937.png
130209143941.png

4) Click exit in the top right and then click save changes and reset
130209143950.png
 
Thank you Danspy. I added this motherboard to the Note box for others to reference to help them with. :)
 
What is the secure boot, enable or disable for anyway.
I believe it is to check if the Windows bootloader being used is not malware or tampered with, this means GRUB may not work, I have also read somewhere that it is to make sure that the copy of Windows you are using is authentic.
 
What is the secure boot, enable or disable for anyway.

What is the secure boot, enable or disable for anyway.
I believe it is to check if the Windows bootloader being used is not malware or tampered with, this means GRUB may not work, I have also read somewhere that it is to make sure that the copy of Windows you are using is authentic.

Hello Jimbo,

In addition, see the information and link in the green information box at the top of the tutorial for more about "Secure Boot". :)
 
What is the secure boot, enable or disable for anyway.

What is the secure boot, enable or disable for anyway.
I believe it is to check if the Windows bootloader being used is not malware or tampered with, this means GRUB may not work, I have also read somewhere that it is to make sure that the copy of Windows you are using is authentic.

Hello Jimbo,

In addition, see the information and link in the green information box at the top of the tutorial for more about "Secure Boot". :)

So if you wanted to run a Linux distro you have to disable the secure boot because of the open source code and not being MS certified if your were using the UEFI bios. With the legacy bios, that's not an issue.
 
What is the secure boot, enable or disable for anyway.

I believe it is to check if the Windows bootloader being used is not malware or tampered with, this means GRUB may not work, I have also read somewhere that it is to make sure that the copy of Windows you are using is authentic.

Hello Jimbo,

In addition, see the information and link in the green information box at the top of the tutorial for more about "Secure Boot". :)

So if you wanted to run a Linux distro you have to disable the secure boot because of the open source code and not being MS certified if your were using the UEFI bios. With the legacy bios, that's not an issue.
Yeah, you're right, using the legacy BIOS, there shouldn't be a problem.
 
So if you wanted to run a Linux distro you have to disable the secure boot because of the open source code and not being MS certified if your were using the UEFI bios. With the legacy bios, that's not an issue.

You can install Linux with uEFI enabled, but not with Secure Boot enabled.

HTG Explains: How Windows 8′s Secure Boot Feature Works & What It Means for Linux - How-To Geek

Installing Linux

There’s nothing stopping computers from also shipping with Ubuntu’s certificate. Linux distributions can also publish their own certificate and ask users to install it – or ask them to disable secure boot entirely. Fedora will be paying $99 for Microsoft’s signing services, so Fedora will install on any Windows 8-certified PC with no additional configuration required. Other Linux distributions could also take this route.


Security Advantages

The traditional BIOS will boot any software. Normally, your BIOS boots the Windows boot loader or maybe a Linux boot loader, like GRUB. However, it’s possible for malware, such as a rootkit, to replace your boot loader. The rootkit could load your normal operating system with no indication that anything was wrong, staying completely invisible and undetectable on your system. The BIOS doesn’t know the different between malware and a trusted boot loader, so it allows either to boot.

Windows 8 PCs will ship with Microsoft’s certificate stored in UEFI (and possibly other certificates, depending on the manufacturer). UEFI will check the boot loader before launching it and ensure it’s signed by Microsoft – if a rootkit or another malware program does replace your boot loader, UEFI won’t allow it to boot. This prevents malware from hijacking your boot process and concealing itself from your operating system.


By seting your uEFI/BIOS firmware, to Secure Boot DISABLED, you can install
NOTE: Check your manufacturer's uEFI BIOS manual for settings.



Windows 7 x64
Linux x64
in uEFI mode.
 
Back
Top