What is Secure Boot? What is UEFI Boot?

Secure Boot and UEFI Boot

Secure Boot and UEFI boot are two technologies that go hand in hand to enhance the security and capabilities of a modern PC system.

Secure Boot uses a signature to ensure that the operating system loader is trusted. In other words, if the operating system loader is damaged by a malicious attack, such as by a virus or malware, the system can detect this and prevent the system from booting. This gives the system administrator awareness of a problem; the system can be cleaned and then restored to normal service, protecting the users data.

UEFI boot is an alternative to the legacy method of booting an operating system, known as the "BIOS". The way the system firmware interacts with the operating system is different and more flexible. For example, bootable devices greater than 2TB in size are supported. However, the operating system has to be UEFI aware - for example, Windows XP cannot boot if UEFI is enabled in the BIOS - and the disk needs to be partitioned using a newer method known as GPT, as opposed to the older MBR (master boot record) method.

Additionally, you will usually need to reinstall or redeploy a system if you change to UEFI mode after original installation. If you are using Windows images, you may need to build a new image.

Note: Some BIOSes have a UEFI-CSM mode. CSM stands for compatibility support mode. In this mode, UEFI features are enabled, and things such as Secure Boot will still work. However with CSM, the BIOS will detect the boot partition on the bootable media and enable MBR support as required. In this way, it is still possible to use MBR partitioned disks and Windows installations after moving to UEFI mode.

What do I need to get UEFI or Secure Boot Functionality?

Generally, most 7 or 8 series chipset based systems have BIOSes that have been developed with UEFI support and secure boot support in mind.

Some 6 series based systems have a mixture of capabilities:

Older systems, such as those based on the 4 or 5 series chipsets do not generally have UEFI or secure boot capabilities.

What Mode Should I Be Using?

Windows 8 / Windows 8.1

Generally secure boot should be ENABLED. For secure boot to operate, UEFI boot must also be enabled.

Windows 7

Secure boot is not supported by Windows 7. UEFI boot is supported but many IT departments prefer to leave UEFI boot disabled to preserve compatibility with operating system images.

Windows 7 and Windows 8 Dual boot

As secure boot is not supported by Windows 7, this will need to be disabled. Leave UEFI boot disabled if you prefer to maintain compatibility with non-UEFI software images.

Windows Vista

Windows Vista does not support Secure boot or UEFI boot. These need to be disabled for Windows Vista.

I Have Changed the Motherboard in the System and Windows won't Start

In this situation, it is best to configure the BIOS to the recommended secure boot and UEFI settings depending on the operating system that is installed on the machine.

What If I want to Boot from a Hard Disk Larger than 2TB?

If you want to boot from a hard disk larger than 2TB, you need the following:

Remember: If you want to use UEFI boot with Windows 7 or Windows 8, then UEFI boot should be turned on before you install the operating system. If you want to share an operating system images between machines, the UEFI, Secure boot and SATA controller mode settings should be identical between the machines.

Applies to:

Article ID: 212
Last updated: 22 Aug, 2017
Revision: 9
Stone Branded Products -> Desktop PCs and All-in-One (AIO) -> Frequently Asked Questions (FAQ) -> What is Secure Boot? What is UEFI Boot?