Home > Computer Hardware, My tips and tricks > Understanding Windows 8x Secure Boot

Understanding Windows 8x Secure Boot


This past week at work, I installed Windows 8.1 Pro on my workstation. While a lot of people don’t like Windows 8, I’ve long since gotten used to it, and I rather like 8.1’s speed and features. Plus, I need to have it to effectively manage Internet Explorer 10 and 11 on our client machines, which is another story.

I wanted to do a full UEFI install of Windows 8.1, as well as enable Secure Boot for security purposes. However, when I enabled Secure Boot and restarted, I had no graphics output at all. I’d forgotten that my computer’s dedicated graphics card doesn’t support UEFI GOP, so I won’t be able to use Secure Boot while I have that graphics card installed.

I’ve had some experience with UEFI’s Secure Boot feature in the past, but the events of installing 8.1 onto my PC helped solidify a lot of concepts for me. In a nutshell, here’s what I’ve picked up:

  • You need an Intel 7 or 8 series chipset motherboard. The X79 series is also supported past a certain firmware range from what I’ve read. Not sure about AMD based motherboards, as I haven’t used an AMD board in years.
  • Intel 6 series chipset boards are not supported, despite having UEFI.
  • Your hard drive has to be formatted in GPT partition style.
  • Your graphics card needs to support UEFI GOP, or your system will not boot. From what little I can find out, Intel HD 2500, HD 4000 and up on board graphics are supported as well as the Nvidia Geforce 700 series. The Nvidia GTX 680 had a firmware update release that let it work as well, but I haven’t heard anything about the lower end 600 series cards. Again, not sure about AMD cards.

So just to recap the above list – Must be a modern Intel and presumably AMD motherboard of the last 18 months, and your graphics card needs to be compatible. If you don’t have the correct combination, your PC will not boot with Secure Boot enabled. You will have no graphics output on your monitors at all.

Now here’s the next part that makes things so complicated and confusing for people. If your hardware combination doesn’t support Secure Boot, you can turn it off and enable the Compatibility Support Module (CSM) of the motherboard. With the CSM enabled, you’ll be able to use your old graphics card just fine. This enables your newer office/school PC with low end Geforce 210/Geforce 610’s and so on to run.

If you do an UEFI install of Windows 8.1, but leave Secure Boot disabled, you’ll get the following watermark on the desktop:

windows-81-secure-boot-build-9600

Microsoft have released an update which will make this watermark go away. While Secure Boot isn’t working, at least you won’t have this reminder in the corner every time you log in.

As time goes on, more and more discrete graphics cards will properly support UEFI GOP out the box, enabling more computers to have Secure Boot enabled and working correctly. While there has been written a lot of things about Secure Boot, it brings a lot of modern security to a system that has been sorely lacking it in the past.

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: