Secure Boot

Applies To: Windows 8, Windows 8.1

This topic for the IT professional describes Secure Boot, which is a means to validate the boot process as part of the trusted boot integrity design in the Windows operating systems designated in the Applies To list in this topic.

Did you mean…

Feature description

When a computer starts, it starts the process of loading the operating system by locating the bootloader on the computer’s hard drive. If a computer doesn’t support Secure Boot (as is the case with most computers released prior to Windows 8), the computer simply relinquishes control to the bootloader, without determining whether it is a trusted operating system or malware.

Secure Boot is dependent on Unified Extensible Firmware Interface (UEFI), which is a standards-based solution that provides the same functionality as the system BIOS. UEFI also adds security features and other advanced capabilities. Like BIOS, computers start UEFI before any other software, and UEFI then starts the operating system’s bootloader.

When a computer with UEFI and Secure Boot starts, the firmware starts the bootloader only if the bootloader’s signature has maintained integrity and if one of the following conditions is true:

  • The bootloader was signed by a trusted authority that is registered in the UEFI database. In the case of computers that are certified for Windows 8, the Microsoft signature is trusted.

  • The user has added the bootloader’s digital signature to the UEFI database. This allows the user to load non-Microsoft operating systems.

All computers that are x86-based and certified for Windows 8 must meet several requirements related to Secure Boot:

  • They must have Secure Boot enabled by default.

  • They must trust the Microsoft certification authority (CA), and thus any bootloader that Microsoft has signed.

  • They must allow the user to add signatures and hashes to the UEFI database.

  • They must allow the user to completely disable Secure Boot.

How it works

When Secure Boot is activated on a computer or device, the computer or device checks each piece of software, including the UEFI drivers (also known as Option ROMs) and the operating system, against databases of known good signatures that are maintained in the firmware. If each piece of software is valid, the firmware runs the software and the operating system.

Hardware manufacturers (OEMs) must implement Secure Boot configurations on the systems that they manufacture. If there are any incorrect configurations, end users might be prompted with the following watermark on their desktops: "Secure Boot isn't configured correctly." The watermark appears because Secure Boot is disabled, or because a preproduction or debug policy is installed on the device.

For more information about how Secure Boot leverages signature databases and keys, about the watermark, and a description of the boot sequence, see the Secure Boot Overview in the Windows Deployment Options section of the TechNet Library.

Practical applications

Bootkits are the most dangerous form of malware. They start before Windows starts, and they hide between the hardware and the operating system where they are virtually undetectable and have unlimited access to system resources.

Recent implementations of UEFI can run internal integrity checks that verify the firmware’s digital signature before running it. Because only the computer’s hardware manufacturer can control which digital certificates are permitted to create a valid firmware signature, UEFI offers protection from firmware rootkits. Thus, UEFI is the first link in the chain of trust.

With Secure Boot, the computer’s UEFI verifies that the Windows bootloader is secure before loading it. If the bootloader has been modified (for example, if a bootkit is installed) or replaced, Secure Boot will prevent running it.

For more information about UEFI, see UEFI Firmware in the Windows Deployment Options section of the TechNet Library.

New and changed functionality

Windows 8.1 and Windows 8 will only run on certified computers. Certification is based, in part, on UEFI.

Hardware and software requirements

This feature is supported on versions of Windows that are designated in the Applies To list at the beginning of this topic.

For detailed information about requirements regarding boot time, runtime, hibernation state, and the requirements to enable UEFI platforms without a Compatibility Support Module (CSM), see UEFI Requirements: Boot time, Runtime, Hibernation State (S4) in the Windows Deployment Options section of the TechNet Library.

See also

The following table provides links to resources to help you understand and work with Secure Boot.

Content type References

Product evaluation

Windows 8 Security Overview

What is UEFI Firmware?

Planning

UEFI Firmware

Deployment

Windows Deployment Options

Operations

Not available

Troubleshooting

Discussions about Secure Boot (Microsoft Windows)

Tools and settings

BCD System Store Settings for UEFI

Community resources

Discussions about Secure Boot

Answers from Microsoft Support

Enabling Secure Boot After Install (Microsoft Community)

How to disable secure boot (Microsoft Community)

Your pc firmware is not compatible with secure boot (Microsoft Community)

Windows 8 / secure boot / moving from one PC to another (Microsoft Community)

Related technologies

Securing the Windows 8 Boot Process