One of the scenarios that causes problems for many people is secure boot — how to boot from anything other than the computer’s currently installed operating system. Booting from an optical or USB drive can be complicated due to UEFI and secure boot.
I recently went through the process of backing up and restoring an image backup to my Dell Latitude laptop computer, which runs Windows 10 with UEFI and secure boot enabled.
I won’t cover the process step-by-step, since those would be useful only for owners of the exact same model of laptop. Instead, I’ll review what I did at a conceptual level.
Become a Patron of Ask Leo! and go ad-free!
The scenario
My cousin was visiting from overseas, and I planned to make my laptop available to her while she was here. Rather than hand over the laptop configured and tricked out the way I had it, I wanted to give her a clean slate to work from — a fresh install of Windows 10.
After she was done with the laptop, I decided to install Linux and see if I could work with it as my primary operating system instead of either Windows or MacOS (on my Mac laptop). Spoiler: I couldn’t1.
When my Linux tests were over, I restored the backup image I’d started with to the computer, back to my configured and tricked-out laptop.
Here’s what I did, step by step.
Step 1: Make a rescue drive
After downloading and installing the latest free version of EaseUS Todo, I created a rescue drive (also referred to as an “emergency” drive).
Since my laptop has no optical drive, I elected to create it as a bootable USB drive, using a spare 8GB flashdrive I had lying around. It was overkill in terms of capacity, but it’s difficult to find smaller thumb drives these days.
I set the rescue drive aside for use later.
Step 2: Create an image backup
Next, I attached a traditional external USB hard drive and created an image backup of the laptop’s internal drive.
It’s important to note that I did not choose the option to “backup and restore the partitions needed for Windows”. I wanted the entire hard disk to be backed up into the image. The way to do that was to back up by selecting the disk. By selecting the disk, all partitions on the disk, as well as the boot information, would be included in the image.
Along the way, EaseUS reported that one partition would be backed up “sector by sector” instead of by filesystem, as is normal. This happens when the program doesn’t understand the format used within the partition, in which case the only way to back it up is by backing up every sector therein. I suspected one of the administrative or recovery partitions fell into this category, and I let it do its thing.
Step 3: Turn off secure boot
With the rescue drive and a backup in hand, I wanted to test that I could restore that backup if needed before I moved on to the more destructive changes I’d planned. Unfortunately, getting the machine to boot from the USB drive proved to be somewhat challenging.
Several frustrating trial-and-error attempts result in this simple statement: I had to turn off secure boot in order to change the boot order and boot from something other than the installed system.
How you do this varies dramatically based on what computer you have, so I can’t give you explicit steps. In my Dell’s case, it started by pressing F2 while rebooting to enter into the UEFI configuration or “setup” mode. There I had to disable secure boot, enable legacy boot ROMs, and change the boot order to look at USB drives before looking at the internal hard drive.
Step 4: Test the rescue drive
With the boot order issue resolved, I could perform my test. I attempted to boot from the rescue drive, and it worked: the machine booted directly into the copy of EaseUS Todo on that drive.
Besides verifying that the system booted from the rescue drive, I also confirmed that Todo itself could find the external hard drive containing the backup image, and that the backup image itself could be found. I did this by simulating a restore operation and locating the image to restore, stopping before initiating an actual restore.
Being able to boot from your rescue drive and locate the image is critical. If you can’t boot from the rescue drive now, or if you can’t locate the image, you wouldn’t be able to restore your backup image later.
If you run into trouble here, the most common solution is to try a different rescue drive. Most backup software, including EaseUS Todo, offer different types of rescue drives. Often vendors make additional rescue drives available on their web site as well.
Do not proceed further until your test(s) succeed.
Step 5: Install something else
Knowing that I could (probably2) restore my backup image, I went to town. I did a fresh reinstall of Windows 10, did some basic configuration of the machine, and handed it to my cousin for three weeks.
When she returned, I first created a backup image of the machine as she left it. Should we need to recover any files — most notably pictures from her trip — in the future, we could do so from this image.
I then installed Linux Mint from a bootable USB stick, tested that a bit, installed Ubuntu Linux from another bootable USB stick, tested that a bit, and eventually made my decision to revert to my originally installed Windows 10.
But as you can see, the machine was well and truly “played with” in the interim. At least one fresh install of Windows and two installed variants of Linux not only worked (yay!), but naturally overwrote anything I had on that disk earlier.
Step 6: Restore the image backup
To restore my laptop to its pre-cousin state, I once again booted from the rescue disk from Step 1.
This time, I went through the entire process of restoring the image of the originally backed up system. Some hours later, the process was done. I removed the emergency drive, rebooted, and … it didn’t work.
No Boot Device Found. Press any key to reboot the machine
I had forgotten a step.
Step 7: Turn secure boot back on
In Step 3, I had disabled secure boot so the computer would recognize and boot from the USB rescue drive. Since I had restored the image of the operating system configured with secure boot on, I had to change that setting once again. It’s almost as if secure boot and non-secure boot live in two different worlds.
Again, your procedure will likely be different, but for me, it meant pressing F2 at boot time, entering UEFI setup, disabling legacy ROMS and legacy boot, and re-enabling secure boot.
This time, Windows 10 booted without incident. I logged back on and the system began what it considered a long-overdue anti-malware scan, as well as update checks and weeks of downloads for much of the installed software, including Windows itself.
All was well with the world — or at least this particular laptop — once again.
Do this
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
I successfully switched to Linux for six months. What drove me back to Windows 10 was One Drive. When I realized I had 1 TB included in my Office 365, I stopped paying for OneDrive and Linux became a no go. Obviously, Microsoft doesn’t want people using Linux. Hopefully someone will come up with a Linux interface.
Thanks,
Secure boot might be wonderful but it sure makes booting to USB and/or ext drive very difficult. I was stuck and had to call Dell TS and they were confused, asking, “Why would you want to boot to another drive”? Three techs later, found one with the answer. Dell seems proud they intentionally made this difficult, calling it a safety feature!
After disabling Secure Boot in order to configure USB or CD drive as first boot priority, and then perhaps running rescue media, would you recommend
not leaving the external media as first boot option?
On my 2 PC’s, I have left the UEFI in external device boot as first priority.
I suppose in an uncontrolled environment this could be dangerous.
I am the only one where my computers are being used. So maybe in my case it is OK?
Thanks for your excellent articles. I run to your Archives all the time
As you say, it does mean that someone could walk up and reboot your computer from something else for their purposes.
Most commonly, though, people leave external drives connected, and occasionally the boot-loader will mistake their presence and try to boot from them and come to a stop and fail because there’s no operating system on them. This varies from machine to machine, though.