Making Sure Secure Boot Is Enabled « Giveaway of the Day Forums

Back to Giveaway of the Day

Giveaway of the Day Forums » Technical notes

Making Sure Secure Boot Is Enabled

(4 posts) (2 voices)

Started 2 years ago by mikiem2
Latest reply from gergn

mikiem2
Moderator

Secure Boot tries to make sure that the device BIOS only starts / runs legitimate software, e.g. Windows boot loader. It's not foolproof, but with more malware targeting the BIOS, it may help. The hardware requirements for Windows 11 list "Secure Boot capable", and installing Win11 *may* attempt to turn it on, but like the CPU & TPM requirements, once Win11 is installed, the only time it actually checks is when you open Windows Update, where you may see a message that the device does not meet Win11 requirements. Otherwise Win11 works fine, so enabling Secure Boot is entirely up to you.

Unfortunately there's also a catch -- Secure Boot is turned on/off in the BIOS settings, but the BIOS showing it turned on doesn't mean much at all... I suggest running HWiNFO to make sure -- it's also a handy app in its own right, giving you all sorts of information, whether you need it or are just curious. neowin[.]net/news/hwinfo-716/

If Secure Boot is turned on in the BIOS but not actually enabled, sadly, there's not an easy cure... Google and you'll find that it's not an isolated complaint -- you'll also find reports of people getting it working by more or less blindly fiddling with related BIOS settings. In my case with a Gigabyte motherboard, in the Secure Boot settings I selected custom, restored the factory keys, then again selected standard, rebooting for each change, and it worked, but I've no idea if that would work for anyone else.

Background...
Most reasonably current PCs/laptops use what's called an UEFI BIOS -- it started to appear right about the time Win7 was 1st released [and Win7 didn't like it At All]. Before that the BIOS was hard coded individually for the device motherboard, which is now called Legacy BIOS. UEFI BIOS run a sort of mini version of a Linux-like OS, and because it is an OS, it can be [too easily] hacked, which is THE worst case scenario. When a device [computer] is turned on, the BIOS is the first component that's active. It determines what other components are connected, ties them together, and then starts the OS [operating system software]. Once malware's installed in the BIOS, it can direct the device to do whatever it wants, including running malware completely in memory so that it's pretty much undetectable. It's also hard, may in fact be impossible to remove... the BIOS cannot usually be replaced without replacing the main system board [motherboard], the code to re-flash the firmware is not always available, and re-flashing the BIOS can be risky, since it can brick that main board. It's also at least theoretically possible for an infected BIOS to prevent you from re-flashing it with its original code, e.g. it could prevent booting to a USB stick or optical drive to run the flashing software, &/or turn off the feature in the BIOS settings which allows flashing the BIOS.

Posted 2 years ago #
gergn
Member

You can also use the official Microsoft tool WindowsPCHealthCheckSetup.msi to test for Windows 11 compatibility. The answer to whether or not Secure Boot is enabled, is right on top. Regretfully, Microsoft deems it necessary to provide me with texts in Dutch, that do not match with texts in English in the BIOS menu.

Posted 2 years ago #
mikiem2
Moderator

When it come to the secure boot requirement for Win11, Microsoft's apps & docs tend to be confusing. Searching for & running the PC Health Check app from Taskbar search in Win10, it just tells me that this PC is Secure Boot capable, which is all that Microsoft lists in its Win11 requirements. An article on Windows Central also got it wrong, saying it was required to have secure boot turned on. Windows Security -> Device Security will tell you if Secure Boot is enabled, but it would Not tell me it was turned off (!). You can do a Taskbar search for System Information & select / run the app, and mid-page it will tell you if Secure Boot is on or off, but *to me*, running HWiNFO is much clearer, giving you that information on its main screen, plus it provides all sorts of other info you won't see in the Microsoft app that may be useful.

With this PC I mistakenly thought secure boot was turned on, because that's what it showed in the BIOS settings, & I installed and have been running a copy of Win11 for several months now. I had an Insider copy of Win11 installed since it was 1st available, but figured that was sort of grandfathered in, as none of the hardware requirements were enforced when it was first released. So I went into the BIOS settings, & turned Secure Boot on before upgrading a copy of Win10 to Win11, and never thought about secure boot again. That is until recently when I ran HWiNFO & found out it was off. So I took to Google, finding others have had the same problem, apparently with PCs/laptops bought retail as well as PCs that people assembled. I'm checking our other devices when I use them -- so far all I can report is that with my wife's PC, using an Asus motherboard, turning Secure Boot on worked like it was supposed to.

Posted 2 years ago #
gergn
Member

Thanks for the tip. My 2020 HP Slim Desktop S01-pF0xxx has Secure Boot turned on according to HWiNFO. On my 2017 Medion erazer laptop I had to turn Secure Boot on manually in the BIOS.

Posted 2 years ago #

RSS feed for this topic

Reply

You must log in to post.