Skip Ribbon Commands
Skip to main content

Ondrej Sevecek's English Pages

:

Engineering and troubleshooting by Directory Master!
MCM: Directory

Quick Launch

Ondrej Sevecek's English Pages > Posts > How to enable UEFI secure boot for Windows
February 13
How to enable UEFI secure boot for Windows

There is a pretty limited information about how to enable UEFI Secure Boot in order to use some advanced security features such as virtual smart cards since Windows 8 or Credential Guard (Device Guard) since Windows 10. Both features require the bios/firmware feature called Secure Boot and Windows must detect its presence and know about it.

Essentially, the Secure Boot feature means that the firmware verifies digital signatures of different boot components such as the boot loaders by trusting some vendor (such as Microsoft's) digital signing certificates. The vendors of operating systems, such as Microsoft supply hardware vendors with their signature certificates which must be properly installed in bios to verify the boot components.

I already made this work on Acer TravelMate P645-S Insyde H20 bios and also on Gigabyte Z97-D3H American Megatrends F7 bios desktop motherboard. The Gigabyte was a bit harder, but I convinced it finally (after 3,5 hours rebooting :-))

  • verify that your OS is really Windows 8 or newer :-)
  • check if you don't really have the Secure Boot enabled yet with msinfo32 - look up the field called Secure Boot, or you can use the Confirm-SecureBootUEFI cmdlet which is available since Windows 8.1. The following picture shows the final desired and correct state:

  • verify that your boot drive and partitions/volumes are really UEFI. You must have the EFI system partition instead of the legacy System Reserved partition marked as active. EFI partition is FAT32 formated and is not marked as active, because its partition identifier is either 0xFF (on MBR disk) or C12A7328-F81F-11D2-BA4B-00A0C93EC93B (on GPT disks). You can verify this in Disk Management console. Using bcdedit you should also be able to verify that the paths reference bootmgrw.efi (the Windows Boot Manager) and winload.efi (Windows Boot Loader) loaders. Finally if you are booting with UEFI instead of traditional standard bios path the msinfo32 will also tell you you have BIOS Mode set to UEFI. The third picture shows a state in which the UEFI BIOS mode and boot is enabled correctly with Secure Boot off because of some error:

  • in BIOS you may have to enable the Supervisor password or Administrator password or how ever is this bios entry password called.

  • disable all non-UEFI boot settings, especially disable the CSM (Compatibility Support Mode) which allows the firmware to load legacy OpROMs (installable UEFI drivers) which are not Secure Boot compliant. Although you might have disabled all the legacy OpROMs individually, you should still disable the CSM at all. The first picture shows the CSM still enabled with all settings set tu UEFI only which is not sufficient. Only the second picture with CSM disabled made it for me.

  • you must have Intel TXT or Intel TXT (LT) enabled in bios/firmware as well
  • you must have Execute Disable Bit setting enabled too

  • vendor default secure boot keys must be populated in firmware correctly provided you are really running an operating system supported by your vendor - which Windows 8.1 and newer should be hopefully. To verify, for example on my Gigabyte UEFI DualBIOS when enabling the Secure Boot in bios, there is an option for Secure Boot Mode Standard or Secure Boot Mode Custom. Although you should have the mode set to Standard, switching it to the Custom mode allows you to check the status of Key Management options. If it tells you something like Not installed, you should switch the Default Key Provisioning to Enabled and then select the Install default Secure Boot keys. After that you can switch the Default Key Provisioning back to Disabled and also change the Secure Boot Mode back to Standard.


  • no, Secure Boot does not require TPM to be installed or enabled or owned by the current OS or anything. TPM is completelly separate technology, which might be good to have for Credential Guard, but is not required (only recommanded), while you need it for virtual smart cards. But it definitelly does not affect the Secure Boot detection state.

Have fun!

Comments

There are no comments for this post.

Add Comment

Title


You do not need to provide any value this column. It will automatically fill with the name of the article itself.

Author *


Body *


Type number two as digit *


This simple antispam field seems to work well. Just put here the number.

Attachments