IT Connect

Information technology tools and resources at the UW

How to enable Secure Boot

Why configure Secure Boot?

This type of hardware restriction protects the operating system from rootkits and other attacks that may not be detected by antivirus software.  The Managed Workstation Service recommends configuring your device to support Secure Boot, though it is not required.

What is Secure Boot?

Secure Boot is a security standard developed by members of the PC industry to help make sure that your PC boots using only software that is trusted by the PC manufacturer.  It is supported on modern versions of Windows, and many distributions of Linux and variants of BSD.  When the PC starts, the firmware checks the signature of each piece of boot software, including firmware drivers (Option ROMs) and the operating system. If the signatures are good, the PC boots, and the firmware gives control to the operating system.1  Secure Boot does not encrypt the storage on your device and does not require a TPM.  When Secure Boot is enabled, the operating system and any other boot media must be compatible with Secure Boot.

Preparation checklist

  1. Secure Boot must be enabled before an operating system is installed.  If an operating system was installed while Secure Boot was disabled, it will not support Secure Boot and a new installation is required.
  2. Secure Boot requires a recent version of UEFI.  Window Vista SP1 and later support UEFI.  Update the firmware if you are in doubt, or if you don’t see the options you expect in the system menu.
  3. Secure Boot requires Windows 8.0 or higher.  This includes WinPE 4 and higher, so modern Windows boot media can be used.
  4. To turn on the necessary system firmware options, you may need to set a system password on some devices.

Step-by-step guide

  1. First, take note of the make and model of the machine that you are going to prepare.  Many manufacturers update their device’s UEFI support and update the system settings menu choices with firmware updates, so consider updating to the latest version.
  2. Boot into the system settings by powering on the system and using the manufacturer’s method for accessing the system settings.  On an HP device, this is often F10 and for a Dell it is F2.
  3. Navigate the menu and select UEFI as the boot mode.  Many menus present UEFI and Legacy as the choices, others may offer UEFI and BIOS.  Some devices may offer three choices, like UEFI native, UEFI hybrid (or UEFI + CSM), and Legacy.  In each case, choose UEFI or UEFI native.  You may also have an option to disable legacy boot methods, and this is recommended.
  4. Next, navigate to the Secure Boot option and turn it on.  On some devices, you must first reboot once after enabling UEFI and return to the settings menu in order to enable Secure Boot.
  5. It is recommended, but not required, to enable the TPM and virtualization support options as well, in order to enable other security features used by Windows.  Early Launch Antimalware, Measured Boot, Device Guard, Credential Guard, and BitLocker variously require these settings.2
  6. Save the changes and exit the menu.  You can now boot to media that supports Secure Boot and install an operating system.  A Windows installation optical disc, USB storage device, or LiteTouch media will work.  Windows will partition storage with GPT partitions instead of MBR.
  7. After the operating system is installed, you can verify that Secure Boot is enabled at a PowerShell prompt if the cmdlet Confirm-SecureBootUEFI returns the value ‘true’.  You can also open msinfo32.exe and check that the value for Secure Boot State is “on”.

Note: UEFI USB boot requires that USB disks should be have at least 4 gigabytes of capacity, the boot mode should be set to UEFI or UEFI native and not UEFI+CSM or UEFI Hybrid, and you may have to disable Fast Boot or Quick Boot on some systems.

1 https://technet.microsoft.com/en-us/library/hh824987.aspx

2 https://blogs.technet.microsoft.com/deploymentguys/2016/08/01/security-implications-of-upgrading-to-windows-10/