• March 4, 2024

Secure Boot – what is it in BIOS and how to disable it

Computer viruses have become an integral part of our lives. Even those people who have never used computers have heard of them. To improve protection against malicious software, the Secure Boot protocol was introduced. About what it is eaten with and how to turn it off will be described in detail in the article.

What is Secure Boot and when might you need to disable it?

Secure Boot is one of the innovations introduced with the implementation of UEFI. This, in turn, is a BIOS receiver. He, respectively, is responsible for preparing and loading the OS. The BIOS can be considered a very simple utility with a primitive design that is stitched into the motherboard. UEFI performs the same functions, but it is already a very beautiful and advanced program. For example, with perseverance, UEFI can even view the contents of connected drives, which would be considered an incredible innovation for the BIOS.

The creators of UEFI were not guided by aesthetic motives alone. One of the important development goals was to detect and limit the impact of malware. It was assumed that the technology would prevent it from loading along with the operating system (OS), as well as execution at the OS kernel level after it was launched. The honor of fulfilling this important mission fell on the Secure Boot protocol. The technical implementation was as follows: a cryptographic scheme with open and closed signatures (electronic digital signatures, EDS) was used. In general, the goals were achieved, but in practice this required certain and correct actions not only on the part of users, but also on the part of manufacturers of computer equipment. The description of the whole process will take a lot of time, so let’s focus on the key features:

  • software components (drivers, OS loaders) have special EDS, they are also in the motherboard firmware, but the characteristics of these EDS are different;
  • when using computer resources, components must prove by means of an EDS that they are not viruses;
  • a key security factor is the private key, which ideally should be unique to each PC.

Difficulties with the technology began at the stage of implementation, when Microsoft announced that it would use the protocol to restrict the installation of other operating systems on computers with Windows preinstalled. Then such plans were abandoned under the onslaught of the public, but the sediment remained. Today, the main difficulty lies in the fact that motherboard manufacturers use the same private keys for all their products or for individual lines. In any case, good intentions have led to a dead end.

In the vast majority of cases, disabling Secure Boot is worth it to solve two problems:

  1. If the OS is not installed or loaded.
  2. If it is impossible to boot from a bootable USB flash drive.

Secure Boot by itself does not load the system in any way, as it works at a lower software level. Disabling the protocol will definitely not improve the responsiveness of the system or increase the speed of the processor.

How to disable Secure Boot protection in BIOS?

Note that some users mistakenly think that the Secure Boot protocol is disabled in the BIOS. This rather primitive firmware does not, did not have, and cannot have SekyurBut support. This security protocol works exclusively on UEFI and must be disabled there. The nature of this error is quite simple. Over the years, users have become accustomed to the fact that everything that appears on the screen before loading the OS is the BIOS. In fact, the days of this software add-on are leaving and it is already obsolete in every respect.

Examples of disabling Secure Boot on different laptops and motherboards

The general algorithm is always the same:

  1. Login to UEFI.
  2. Search for the desired option.
  3. Disable SecureBoot.
  4. Recording changes.

It is important that this security protocol is only supported on Windows 8 and later. Therefore, if you have Secure Boot enabled in your motherboard firmware, but Windows 7 is installed on your PC, then you do not need to disable anything. The secure boot option still does not work, and you need to look elsewhere for possible problems with starting the OS.

How to disable Secure Boot and UEFI on Acer Aspire laptop?

There are many models of laptops from this manufacturer, but the specifics are such that you first need to create your own password. The general algorithm of action is as follows:

  • go to BIOS-UEFI by pressing the F2 or Delete key;
  • go to the “Security” tab, select the “Set Supervisor Password” option;
  • in a special window, enter the password 2 times. Don’t go overboard, use a simple combination;
  • success will be confirmed by the message “Changes have been saved”;
  • go to the “Boot” tab and in the “Boot Mode” line enter the value “Legacy”;
  • press F10 and record modifications of installations;
  • on the next reboot, enter UEFI again;
  • go to the “Security” tab, select the “Set Supervisor Password” option, enter the previously specified password;
  • go to the “Boot” tab and in the “Secure Boot” line enter the value “Disabled”;
  • save the changes again.

Disable Secure Boot on Pavilion Notebooks and Other HP Models?

  1. To enter the BIOS, press ESC or ESC => F10 before starting Windows.
  2. Go to the “System Configuration” tab, and in it find the line “Boot Options”.
  3. Set the “Secure Boot” criterion to “Disabled” and the “Legacy support” criterion to “Enabled”.
  4. The system will ask if you are really ready to change the settings – confirm this by clicking on “Yes”.
  5. Finally, you need to save the changes made by pressing F10 and confirming “Yes”.

Be careful at the next reboot. The system will play it safe and turn on “foolproof”. You need to look at what goes after the inscription “Operating System Boot Mode Change (021)” – there will be a numerical sequence. Type it in and press Enter. If you just need to disable Secure Boot, then you do not need to do anything further. If initially everything was done for the sake of being able to boot from a USB-drive, then immediately after passing through the “foolproof” press ESC, and then F9. Set the required flash drive to the highest priority so that it boots first to the hard drive.

On Dell laptops

  1. F12 immediately after turning on the computer and before starting the OS.
  2. In the top panel, go to the Boot tab and go to the UEFI BOOT subsection.
  3. Set the “Secure Boot” criterion to the “Disabled” option.
  4. Save changes (F10 => “Yes”) and restart the laptop.

Secure Boot on Lenovo and Toshiba laptops

To enter UEFI on these devices, you need to press F12, and then do the following:

  • go to the “Security” tab;
  • set the “Secure Boot” criterion to the “Disabled” option;
  • go to the “Advanced” tab, and in it go to the “System Configuration” menu;
  • set the criterion “Boot Mode (OS Mode Selection)” to the option “CSM Boot (CMS OS), (UEFI and Legacy OS)”;
  • save everything by pressing F10 => “Yes”.

Disable Secure Boot on motherboards

The desktop motherboard market is quite conservative and the clear leaders are 2 companies: Asus and Gigabyte. They supply more than half of all equipment, so it is most rational to consider ways to deactivate Secure Boot in the context of these manufacturers. In any case, the third and fourth places have long been occupied by MSI and ASRock – the first four are entirely made up of Taiwan companies. Bottom line: there will be no fundamental differences in the shutdown instructions anyway, and most of the users will find below exactly what they are looking for.

Note that you can go directly to UEFI in some cases directly from Windows (from version 8 and later). To do this, try the following:

  • On the desktop on the right, call the drawer.
  • Then follow the path: “Parameters” => “Changing parameters …” => “Updating and …” => “Restoring”;
  • In the window that appears, find the option to reboot the system and set this line to “UEFI Settings” or “UEFI Firmware Settings”;
  • Then click on “Restart” and UEFI should start automatically in the future.

How do I disable Secure Boot on a Gigabyte motherboard?

After entering UEFI (by pressing F12 before starting the OS), proceed as follows:

  • go to the “BIOS Features” tab;
  • set the “Windows 8 Features” criterion to the “Other OS” option;
  • for the criterion “Boot Mode Selection” – “Legacy only” or “UEFI and Legacy” (there is not much difference between them);
  • for the criterion “Other PCI Device ROM Priority” – “Legacy OpROM”.

After all, you need to record the changes, that is, press F10 => “OK”.

Asus motherboards and laptops

Immediately, we note that most often on the motherboards of this particular manufacturer, an error appears when loading the OS: Invalid signature detected. Check Secure Boot Policy in Setup. In most cases, to fix the problem, disable Secure Boot, and for this you need to:

  • go to UEFI – press F2, Delete or the Fn + F2 key combination before loading the OS;
  • on the initial screen, press F7 (Advanced Mode), and then go to the “Boot” => “Secure Boot Menu”;
  • specify in the line “Secure Boot State” the value “Enabled”, and in the line “OS Type” – “Other OS”;
  • go back one level to the “Boot” menu => “Compatibility Support Module (CSM)”;
  • set the line “Launch CSM” to “Enabled”, and in the line “Boot Device Control” – “UEFI and Legacy …” or “Legacy OpROM …”, and in the line “Boot From Storage Devices” – “Both Legacy opROM first” , or “Legacy opROM first”;
  • then press F10 and save all changes, and then check the correctness of the settings.

Specifically for Asus laptops, the algorithm will be as follows:

  • go to UEFI;
  • go to the “Security” tab;
  • find the line “Secure Boot Control”, specify the value “Disabled” in it;
  • go to the “Boot” tab;
  • find the line “Fast Boot”, set it to “Disabled”, and in the line “Launch CSM” to “Enabled”.

How do I know if Secure Boot is enabled on Windows?

This protocol is easy to activate and deactivate, and there are several proven approaches to understanding the current status:

  1. Using system information. Run the Run utility. To do this, hold down the Win + R key combination, enter msinfo32 in the line that appears and press Enter. A new window will appear. Make sure System Information is selected in its left pane. In the right pane, look for the “Secure Boot Status” line, which has only 2 values ​​“Enable” and “Disable”.
  2. Using PowerShell. In the Run utility, run the powershell command. A new window will open in which copy the following: Confirm-SecureBootUEFI. If the answer to this request is “True”, then the option is active, and if “False”, then it is deactivated. If a notification of a different nature appears, then the motherboard does not support the Secure Boot function.
  3. Empirically. Create a bootable Windows USB flash drive and try to boot from it after restarting your computer. If everything is successful, then the option is disabled, otherwise a corresponding message will be displayed about the impossibility of loading for security reasons.

Conclusion

  1. Secure Boot appeared in the computer world relatively recently and this security protocol is a component of UEFI – a modern and relevant type of motherboard firmware.
  2. The security protocol prevents malware from running at a lower level than conventional antiviruses do. Therefore, if properly configured, this technology can significantly increase the resistance of a PC to viruses.
  3. Secure Boot should be disabled as needed if it prevents the system from starting from a bootable USB flash drive or when reinstalling Windows. It’s just not worth deactivating the technology for an experiment.
  4. For any computer, the deactivation scheme is the same – by specifying the appropriate criterion in the desired UEFI menu. The main thing is to find the right path to such a menu. Even with significant difficulties, it will take no more than 10 minutes.

Earn points and exchange them for valuable prizes – details

Leave a Reply

Your email address will not be published. Required fields are marked *