Secure Boot and UEFI Boot
Secure Boot and UEFI boot are two technologies that go hand in hand to enhance the security and capabilities of a modern PC system.
Secure Boot uses a signature to ensure that the operating system loader is trusted. In other words, if the operating system loader is damaged by a malicious attack, such as by a virus or malware, the system can detect this and prevent the system from booting. This gives the system administrator awareness of a problem; the system can be cleaned and then restored to normal service, protecting the users data.
UEFI boot is an alternative to the legacy method of booting an operating system, known as the "BIOS". The way the system firmware interacts with the operating system is different and more flexible. For example, bootable devices greater than 2TB in size are supported. However, the operating system has to be UEFI aware - for example, Windows XP cannot boot if UEFI is enabled in the BIOS - and the disk needs to be partitioned using a newer method known as GPT, as opposed to the older MBR (master boot record) method.
Additionally, you will usually need to reinstall or redeploy a system if you change to UEFI mode after original installation. If you are using Windows images, you may need to build a new image.
Note: Some BIOSes have a UEFI-CSM mode. CSM stands for compatibility support mode. In this mode, UEFI features are enabled, and things such as Secure Boot will still work. However with CSM, the BIOS will detect the boot partition on the bootable media and enable MBR support as required. In this way, it is still possible to use MBR partitioned disks and Windows installations after moving to UEFI mode.
What do I need to get UEFI or Secure Boot Functionality?
Generally, most 7 or 8 series chipset based systems have BIOSes that have been developed with UEFI support and secure boot support in mind.
Some 6 series based systems have a mixture of capabilities:
- H61 based systems: Usually have Secure Boot and UEFI boot capability with a BIOS update. Some manufacturers (i.e. MSI) have release a specific version of the motherboard with Windows 8 - and thus Secure boot and UEFI support.
- H67 / Q67 based systems: Usually have UEFI capability, often available after a BIOS update. Often Secure boot functionality is missing. Customers looking to buy Windows 8 capable systems in 2012 either bought H61 (with a BIOS update) or B75/H77/Q77/Z77 motherboards; there was no need for the motherboard manufacturers to make these systems secure boot capable.
Older systems, such as those based on the 4 or 5 series chipsets do not generally have UEFI or secure boot capabilities.
What Mode Should I Be Using?
Windows 8 / Windows 8.1
Generally secure boot should be ENABLED. For secure boot to operate, UEFI boot must also be enabled.
Windows 7
Secure boot is not supported by Windows 7. UEFI boot is supported but many IT departments prefer to leave UEFI boot disabled to preserve compatibility with operating system images.
Windows 7 and Windows 8 Dual boot
As secure boot is not supported by Windows 7, this will need to be disabled. Leave UEFI boot disabled if you prefer to maintain compatibility with non-UEFI software images.
Windows Vista
Windows Vista does not support Secure boot or UEFI boot. These need to be disabled for Windows Vista.
I Have Changed the Motherboard in the System and Windows won't Start
In this situation, it is best to configure the BIOS to the recommended secure boot and UEFI settings depending on the operating system that is installed on the machine.
What If I want to Boot from a Hard Disk Larger than 2TB?
If you want to boot from a hard disk larger than 2TB, you need the following:
- UEFI to be enabled in the BIOS
- The disk must be partitioned as GPT (if you try and install Windows when UEFI only mode has been selected, this partitioning method is usually selected automatically).
- You need a UEFI compliant version of Windows - Windows 7 is capable; Windows 8.1 is recommended. Windows XP and Windows Vista are not UEFI capable.
Remember: If you want to use UEFI boot with Windows 7 or Windows 8, then UEFI boot should be turned on before you install the operating system. If you want to share an operating system images between machines, the UEFI, Secure boot and SATA controller mode settings should be identical between the machines.
Applies to:
- Desktop and laptop systems with 6, 7 or 8 series motherboards.