Power on the system. As soon as the first logo screen appears, immediately press Delete to enter UEFI / BIOS. Use the right arrow key to select Authentication. With Secure Boot highlighted, press Enter and then the down arrow to select Disabled. Use the right arrow key to select Boot Options.
Modern PCs ship with a feature called “Secure Boot” enabled. This is a platform feature in UEFI, which replaces the traditional PC BIOS. If a PC manufacturer wants to place a “Windows 10” or “Windows 8” logo sticker to their PC, Microsoft requires they enable Secure Boot and follow some guidelines.
Unfortunately, it also prevents you from installing some Linux distributions, which can be quite a hassle.
How Secure Boot Secures Your PC’s Boot Process
Secure Boot isn’t just designed to make running Linux more difficult. There are real security advantages to having Secure Boot enabled, and even Linux users can benefit from them.
A traditional BIOS will boot any software. When you boot your PC, it checks the hardware devices according to the boot order you’ve configured, and attempts to boot from them. Typical PCs will normally find and boot the Windows boot loader, which goes on to boot the full Windows operating system. If you use Linux, the BIOS will find and boot the GRUB boot loader, which most Linux distributions use.
However, it’s possible for malware, such as a rootkit, to replace your boot loader. The rootkit could load your normal operating system with no indication anything was wrong, staying completely invisible and undetectable on your system. The BIOS doesn’t know the difference between malware and a trusted boot loader–it just boots whatever it finds.
Secure Boot is designed to stop this. Windows 8 and 10 PCs ship with Microsoft’s certificate stored in UEFI. UEFI will check the boot loader before launching it and ensure it’s signed by Microsoft. If a rootkit or another piece of malware does replace your boot loader or tamper with it, UEFI won’t allow it to boot. This prevents malware from hijacking your boot process and concealing itself from your operating system.
How Microsoft Allows Linux Distributions to Boot with Secure Boot
This feature is, in theory, just designed to protect against malware. So Microsoft offers a way to help Linux distributions boot anyway. That’s why some modern Linux distributions–like Ubuntu and Fedora–will “just work” on modern PCs, even with Secure Boot enabled. Linux distributions can pay a one-time fee of $99 to access the Microsoft Sysdev portal, where they can apply to have their boot loaders signed.
Linux distributions generally have a “shim” signed. The shim is a small boot loader that simply boots the Linux distributions main GRUB boot loader. The Microsoft-signed shim checks to ensure it’s booting a boot loader signed by the Linux distribution, and then the Linux distribution boots normally.
Ubuntu, Fedora, Red Hat Enterprise Linux, and openSUSE currently support Secure Boot, and will work without any tweaks on modern hardware. There may be others, but these are the ones we’re aware of. Some Linux distributions are philosophically opposed to applying to be signed by Microsoft.
How You Can Disable or Control Secure Boot
If that was all Secure Boot did, you wouldn’t be able to run any non-Microsoft-approved operating system on your PC. But you can likely control Secure Boot from your PC’s UEFI firmware, which is like the BIOS in older PCs.
There are two ways to control Secure Boot. The easiest method is to head to the UEFI firmware and disable it entirely. The UEFI firmware won’t check to ensure you’re running a signed boot loader, and anything will boot. You can boot any Linux distribution or even install Windows 7, which doesn’t support Secure Boot. Windows 8 and 10 will work fine, you’ll just lose the security advantages of having Secure Boot protect your boot process.
You can can also further customize Secure Boot. You can control which signing certificates Secure Boot offers. You’re free to both install new certificates and remove existing certificates. An organization that ran Linux on its PCs, for example, could choose to remove Microsoft’s certificates and install the organization’s own certificate in its place. Those PCs would then only boot boot loaders approved and signed by that specific organization.
An individual could do this, too–you could sign your own Linux boot loader and ensure your PC could only boot boot loaders you personally compiled and signed. That’s the kind of control and power Secure Boot offers.
What Microsoft Requires of PC Manufacturers
Microsoft doesn’t just require PC vendors enable Secure Boot if they want that nice “Windows 10” or “Windows 8” certification sticker on their PCs. Microsoft requires PC manufacturers implement it in a specific way.
For Windows 8 PCs, manufacturers had to give you a way to turn Secure Boot off. Microsoft required PC manufacturers to put a Secure Boot kill switch in users’ hands.
For Windows 10 PCs, this is no longer mandatory. PC manufacturers can choose to enable Secure Boot and not give users a way to turn it off. However, we’re not actually aware of any PC manufacturers that do this.
Similarly, while PC manufacturers have to include Microsoft’s main “Microsoft Windows Production PCA” key so Windows can boot, they don’t have to include the “Microsoft Corporation UEFI CA” key. This second key is only recommended. It’s the second, optional key that Microsoft uses to sign Linux boot loaders. Ubuntu’s documentation explains this.
In other words, not all PCs will necessarily boot signed Linux distributions with Secure Boot turned on. Again, in practice, we haven’t seen any PCs that did this. Perhaps no PC manufacturer wants to make the only line of laptops you can’t install Linux on.
For now, at least, mainstream Windows PCs should allow you to disable Secure Boot if you like, and they should boot Linux distributions that have been signed by Microsoft even if you don’t disable Secure Boot.
Secure Boot Couldn’t Be Disabled on Windows RT, but Windows RT is Dead
RELATED:What Is Windows RT, and How Is It Different from Windows 8?
All of the above is true for standard Windows 8 and 10 operating systems on the standard Intel x86 hardware. It’s different for ARM.
On Windows RT—the version of Windows 8 for ARM hardware, which shipped on Microsoft’s Surface RT and Surface 2, among other devices—Secure Boot couldn’t be disabled. Today, Secure Boot still can’t be disabled on Windows 10 Mobile hardware–in other words, phones that run Windows 10.
![Disable Disable](/uploads/1/2/4/8/124804897/810520595.png)
That’s because Microsoft wanted you to think of ARM-based Windows RT systems as “devices,” not PCs. As Microsoft told Mozilla, Windows RT “isn’t Windows anymore.”
However, Windows RT is now dead. There’s no version of the Windows 10 desktop operating system for ARM-hardware, so this isn’t something you have to worry about anymore. But, if Microsoft does bring back Windows RT 10 hardware, you likely won’t be able to disable Secure Boot on it.
Image Credit: Ambassador Base, John Bristowe
READ NEXT- › How to Use the vmstat Command on Linux
- › How to Scan (or Rescan) For Channels on Your TV
- › Why Video Doorbells Are the Best Smarthome Gadget
- › How to Report Phishing and Malicious Websites in Google Chrome
- › How to Search All Your PC’s Files in Windows 10’s Start Menu
To make sure that Windows 10 remains safe from Malware, Microsoft enabled support for Secure Boot which works on top of UEFI. Secure Boot makes sure that when your PC boots up, it only uses firmware which is trusted by the manufacturer. However, many a time because of some hardware misconfiguration, you will need to disable Secure Boot in Windows 10.
If you are wondering what is UEFI, then it expands to Unified Extensible Firmware Interface and is the next generation of the popular BIOS. It’s secure, can hold more data, much faster than BIOS, and is almost like a tiny operating system that runs on top of the PC’s firmware, and it can do a lot more than a BIOS. Best part, it can be updated by the OEM over Windows Update.
It’s because of UEFI, Windows 10 offers security features like Secure Boot, Windows Defender Device Guard, Windows Defender Credential Guard, and Windows Defender Exploit Guard. Below is a list of features you get:
- Faster boot and resume times.
- It easily supports large hard drives (more than 2 terabytes) and drives with more than four partitions.
- Support for multicast deployment, which allows PC manufacturers to broadcast a PC image that can be received by multiple PCs without overwhelming the network or image server.
- Support for UEFI firmware drivers, applications, and option ROMs.
Disable Secure Boot in Windows 10
Just before you jump to disable Secure Boot, because you can, let’s find out if your PC has Secure Boot.
Open Windows Defender Security Center, and click on Device Security.
In the next screen if you see Secure Boot mentioned, then your PC has it, else it doesn’t. If it’s available, you will know if it actually turned on for your PC. We recommend you to turn it on.
If you want to have Secure Boot on your PC, you will need to buy a new one from the OEM which supports it.
Assuming, you have Secure Boot, and its turned on, let’s figure out how to disable it. Make sure to read out guide completely, especially the warning messages at the end of the post.
- Go to Settings > Windows Update, and check if you have anything to download, and install. OEMs send and update the list of trusted hardware, drivers, and operating systems for your PC.
- Once done, you need to go to the BIOS of your PC.
- Go to Settings > Update & Security > Advanced Startup options.
- Then you click on Restart Now, it will reboot your PC, and offer you all these advanced options.
- Select Troubleshoot > Advanced Options.
- This screen offers further options which include System restore, Startup repair, Go back to the previous version, Command Prompt, System Image Recovery, and UEFI Firmware Settings.
- Select UEFI Firmware Settings, and it will take to the BIOS.
- Every OEM has their own way of implementing the options. Secure Boot is usually available under Security / Boot / Authentication Tab.
- Set it to Disabled.
- Save changes and exit. The PC will reboot.
After this, you can change your graphics card or any other hardware which you believe is giving you trouble. Make sure to follow the same steps again, and this time enables the Secure Boot.
Warning if you are disabling Secure Boot
After disabling Secure Boot and installing other software and hardware, it may be difficult to re-activate Secure Boot without restoring your PC to the factory state. Also be careful when changing BIOS settings. The BIOS menu is designed for advanced users, and it’s possible to change a setting that could prevent your PC from starting correctly. Be sure to follow the manufacturer’s instructions exactly.
TIP: Download this tool to quickly find & fix Windows errors automatically
Related Posts:
Download this VPN to secure all your Windows devices and browse anonymously