Computer and Software Support

 Things to know about Secure Boot UEFI

Windows 8

What is Secure Boot UEFI? Each device that is UEFI certified has a code built into it and the UEFI checks it when the system boots up. If the UEFI doesn't detect the code on a device, the windows will boot into a protected mode to give you a chance to fix the issue but nothing will run till you do. This is to prevent a virus from infecting the system. A virus can infect the boot sector. The boot sector is used before you get into windows. If it is infected, your anti-virus will not see it because the anti-virus doesn't get turned on till you enter windows and then it will be too late. The Secure Boot UEFI protects against that.

If you are planning to install Windows 8 and want to use Secure Boot UEFI. There is a couple things you need to be aware of. You have to make sure all your hardware is UEFI certified. This includes the following (You may not have all of these or other devices not listed)

  • Motherboard (be sure the bios is up to date)

  • CD-ROM

  • Video card (may be part of the motherboard. If that is the case and the motherboard is UEFI, then it is certified also)

  • Sound card (may be part of the motherboard. If that is the case and the motherboard is UEFI, then it is certified also)

  • network card (may be part of the motherboard. If that is the case and the motherboard is UEFI, then it is certified also)

As mentioned above this is not the entire list due to various configurations.

If you decide to use secure boot, make sure all your devices are certified for it.

If you have a device that is not certified, you won't be told during the install. Before you install, the bios will state UEFI is enabled for that device. All devices in the boot order has to be set to UEFI. The device will be labeled with UEFI if it is compliant. If you don't see the devices labeled as UEFI and start the install of windows, windows will not be set to UEFI. When you look at MSINFO, it will tell you it is not.

Once Windows is installed, you cannot enable Secure Boot UEFI. To enable it, you have to either update the device that is not certified to UEFI (by updating the firmware. If there is firmware available for it) or physically disconnect the drive. You will then have to reinstall windows (not just the data). If you delete and reinstall, you will need to back up your files or you will lose them.


ANOTHER NOTE: When you are setting the bios to boot to secure boot and you are planning on booting with the CD-ROM drive to install windows, on some systems, you will see the CD-ROM listed twice. Make sure you select the correct one because one will be UEFI and the other won't. If you select the wrong one, Secure Boot will not be enabled.

To find out if Secure Boot is enabled in windows, click here.


NOTE: if you have a CD-ROM, DVD-ROM drive that is not UEFI compliant, you can still use the device after Windows is installed. If you are going to install windows, you must disconnect any non compliant drives during the install of windows. If you do not do that, the secure boot will not be enabled. Even if you are not using the device, it has to be set to UEFI. For example, if you have two CD-ROM drives letters D and drive letter E. You are using Drive D to install windows but you are not using drive E. Drive D is UEFI compliant but drive E is not UEFI. Even though you are not using drive E, it will keep windows from being set to secureboot. You will need to either update drive E or disable it (disconnect it from the system) before installing windows.

If secureboot is not enabled during install of windows, the only way to activate it is to wipe windows off the system and reinstall. Before installing windows, go into the bios and make sure the drives are labeled UEFI. If you do not see that, the drive is not set to UEFI and windows will not be in secureboot mode.


NOTE: Once Windows is installed, you can re-connect the non UEFI device. It will not affect secureboot once windows is installed.