Become a Patron of Ask Leo! and go ad-free!
Transcript
Why, UEFI? Hi, everyone! Leo Notenboom for askleo.com. One of the really common frustrations I hear from people is their attempt to reboot their computer from something other than its internal hard disk – CD or DVD or more recently, USB sticks.
The issue is with newer machines that come with what’s called the UEFI BIOS replacement. Technically, it’s just UEFI but I think everybody more or less refers to it as the UEFI BIOS. BIOS is the software that is actually on your machine the instant you turn it on. It’s the software that is in charge of starting the thing up; booting the machine; knowing how to load the initial operating machine or whatever.
UEFI is a replacement for the original BIOS that’s been with us for probably a quarter of a century. UEFI allows the manufacturers to take more advantage of the capabilities of their machine; capabilities that just didn’t exist 25 years ago. So, one of the things that they’ve done, actually, a couple of the things that they’ve done, have been to increase the security associated with rebooting your machine.
It boils down to a couple of different problems. The most interesting problem, the most risky problem if you want to call it that is that with an older BIOS, or with a UEFI configured to run in what’s called “Legacy” mode to mimic the behavior of an older BIOS, anybody can walk up to your computer, turn it off, insert a USB stick, CD, or DVD, reboot it and then have complete control over your machine.
In other words, physical presence is all they need to be able to access pretty much anything on your machine through one means or another. What UEFI does is, it restricts what happens when you reboot your machine. You may notice that on newer machines that come with things like Windows 8 or Windows 10, the process to get into the BIOS, the process to get into the different settings that may be present in the UEFI is different. You don’t do it by holding down a key when you reboot the machine.
Instead, you actually have to reboot the machine into Windows, and then using the Windows settings app, go through and have it then reboot into whatever your manufacturer provides. What that means, and the reason that’s done is that insures that only people who actually have administrative access to the machine can in fact, reboot into the UEFI configuration.
Somebody can’t just walk up to your machine and do things like change the boot order. By restricting UEFI access to going through this path where you have to go through Windows or the installed operating system in order to be able to see those settings, you’ve basically increased the security of the machine.
One of the other settings that comes into play is this thing called Secure Boot. What that does is, it prevents you from booting into something that isn’t authorized, if you will. Something that isn’t an official signed, allowed copy of an operating system.
Now many people think that this is a Windows thing that Microsoft is all about this, but that’s not the case. This is actually something that’s implemented by the hardware manufacturers that is something that is implemented in the BIOS that is in the all of these machines in UEFI BIOS that’s in all these machines. But in reality, it has nothing to do with Windows specifically. Windows just happens to be one of the operating systems that conforms to this specification.
It does mean that when it comes time to reboot your machine, if secure boot is turned on, it won’t boot from just anything. It will actually only boot from things that it is allowed to boot from, which means you can’t just download a random operating system from the internet and expect your machine to boot into it if secure boot is turned on.
So, unfortunately, what most people then ask is, “Great, how do I turn secure boot off? How do I return my machine to a configuration that allows me to do the things I need to do to that machine?” The answer is, as so many times comes, it depends. You may not be able to. That’s a situation I’m in as far as I can tell with my original Microsoft Surface Pro.1
For the life of me, I cannot get it to boot from anything other than its internal hard disk. The UEFI BIOS is configured for this secure boot mode. It is configured in such a way that I do not have access to the actual UEFI settings and that’s a choice that the computer manufacturer (Microsoft in this case) happened to make.
That’s the way that machine works. If that machine’s hard disk fails, to be honest, I’m not sure what I’ll do. In other cases, it depends, again, on exactly the permissions that your computer manufacturer has given you. You would start with the settings app, but where you go will depend on exactly what your computer manufacturer has allowed for and pre-configured.
Even then, when you reboot into the UEFI settings, like the BIOS before it, UEFI varies from machine to machine, from manufacturer to manufacturer. It’s incredibly capable. They’re many things you can do with it, but exactly which UEFI implementation is being used by your computer manufacturer will vary.
What that really boils down to, the bottom line here is that I can’t tell you for your machine exactly what steps you need to take to undo or to go back to a legacy type scenario or to a not secure boot scenario. You need to check with the documentation that came with your computer or you need to check with the computer manufacturer to find out what capabilities are available to you, and then exactly what steps you need to take to make the configuration changes that will allow you to do what you want.
So, UEFI, it really is all about protecting you from random, what I’ll call “drive-by reboots” where someone can just walk up to your machine and take control by rebooting it randomly into whatever they happen to have in their pocket.
Is that a good thing? In some environments it is. In home environments – maybe not so much. It’s hard to say. What do you do? How do you react to all of this security that’s being implemented by UEFI? Is it an issue for you? If it is an issue for you, how have you been working around it? Have you been working around it? Let me know.
As always, here’s a link to this article posted on Ask Leo! That’s where all the comments are read; that’s where all the comments are moderated. I’d love to hear your experience with UEFI. Again, until next time, I’m Leo Notenboom for askleo.com. Remember, stay safe, have fun, and don’t forget to back up. I’ll see you again next week. Take care.
♥
Hey, if you found this video valuable, I could use your support. Visit patreon.com/askleo (ed: askleo.com/patron) and pledge a couple of bucks a month or more depending on what kind of a reward you like. Yep, there’s rewards associated with it and what it will allow me to do is to focus on creating more valuable content like the video you just saw. Regardless of whether you do or not, thanks again for watching. I’m Leo Notenboom for askleo.com.
Do this
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Podcast audio
Footnotes & References
1: Since this was originally written that machine has been taken out of service and recycled, but I never did get it to boot from anything other than its own internal hard disk. Fortunately I never had a failure that would have required I be able to do anything else. (The machine’s battery was its final downfall.)
Interesting but we are starting to feel impact of this. In theory, this is NOT a Microsoft thing but it is. Microsoft originally stated that UEFI firmware should have a way to disable Secure Boot. They have changed their tune and manufacturers have been told it they allow secure boot to be disabled, they won’t qualify for inexpensive OEM versions of the Windows operating system. I run Windows on many machines at home but I have to run Linux on at least 3 machines. My wife’s laptop (that absolutely must run Linux for her job) was old enough that it still had the option to disable secure boot.
“For the life of me, I cannot get it to boot from anything other than its internal hard disk.” – I assume you’ve tried this?
http://www.microsoft.com/surface/en-ca/support/storage-files-and-folders/boot-surface-from-usb-recovery-device?os=windows-10&=undefined
It would be nice if he’d at least acknowledge your comment, eh?
Hey leo! Don’t be rude.
I acknowledge lots of Ray’s comments. I haven’t gotten around to trying the provided link. (And the machine in question is now very low on my list of priorities … it sits quietly in a corner just doing its job.)
How does UEFI affect backups? There doesn’t seem to be much point in doing an image backup if UEFI prevents the rescue disc being used.
That’s one thing which concerns me too. I think I could work around it, but not without another computer and some disk swapping. A process not for the average user.
It’s definitely something you want to test and/or understand about your machine. Understanding how – or even if – you can boot from a CD/DVD is critical come recovery time. (Most backup programs have properly signed / authorized rescue media.)
One thing I don’t understand about Secure Boot is why it exists. On older BIOS systems, the user could set a BIOS password. A password either to restrict access to the machine or to restrict access to changing the BIOS settings which included changing the boot order. This in itself caused some problems as I’ve seen many questions from people about forgotten passwords or second hand machines.
I can understand the need to update the process, 25 year old firmware definitely does not do justice to the capabilities of modern machines, but the older BIOS system had the potential to be just as secure. The main difference now is that it defaults to secure boot, but as Leo said, for most home users, that might not be what people want. And if you don’t disable Secure Boot when your computer is able to run, you won’t be able to use a bootable rescue disk to restore your computer to working order in case of a disk failure or damage. This would apply to backups as well as reinstalling your OS through installation media.
Additionally, unless you use encryption, someone can still walk up to your computer, take the drive out and access the files via another computer.
Setting the BIOS password was not very effective except to keep average users out. Any tech worth a hoot is capable of moving a jumper on the mainboard to reset the BIOS to default settings, eliminating the password requirement. Getting into or resetting UEFI settings is a whole lot more problematic, and differs from manufacturer to manufacturer.
Some BIOS passwords can’t be reset, and in any case if you can get to the hard drive physically, both with UEFI or BIOS, you can take it out and access the data by placing it in a USB adapter or in another computer. Hard drive encryption is much more effective than Secure Boot or a BIOS password.
http://ask-leo.com/i_forgot_my_bios_password_how_do_i_get_into_my_machine.html
Actually not all motherboards have those jumpers. I’ve heard from several people permanently locked out of a computer because there’s a BIOS password they don’t know and no way to reset it.
I have found that a BIOS password can be reset, without a $250.00 payment to Toshiba in this case, by shorting two points on the motherboard while booting up. The password is stored in “flash memory” and can only be reset by running the BIOS with the two points shorted, which directs the BIOS to erase the password. (TRUE: Toshiba wanted $250.00 to perform this operation, and would not even give Staples (their vendor) the information. The Laptop was purchased new for $450.) Note that the two points are accessible without removing the RAM, since the BIOS needs to run to accomplish the reset.
Note also that this may or may not apply to other manufacturers, or even different models from the same manufacturer. This is HIGHLY hardware dependent.
If the BIOS is password protected, no one can change the boot sequence. Anyone can still pull the drive out and access all the data with BIOS or UEFI, therefore both are pretty weak layers of protection.
I set my Optiplex 7010 to boot to UEFI turned on secure boot turned off legacy and installed the OS on a ssd drive. From what you are saying Mark Jacobs I will not be able to go back regular boot ? You stated :
And if you don’t disable Secure Boot when your computer is able to run, you won’t be able to use a bootable rescue disk to restore your computer to working order in case of a disk failure or damage.”
Im pretty sure I could do a disk wipe and put settings in the cmos back to legacy boot. and isntall the OS with MBR ? ? Or are we seeing motherboards now with bios that wont allow a move back to legacy even if a full disk wipe is performed. ?
My 7010 did setup the OS with efi and secure boot. It worked. My video card gtx 520 that ran my 50″ TV nicely would no longer work. After 2 weeks of research on this UEFI I am convinced that for small biz and home users your best off not using UEFI or secure boot. I have a website that tells all about how to maintain computers with a method of HD cloning and imaging. Altho windows will do a repair install If the system files become corrupt. At times it is difficult to convince people the need to do HD imaging so I made this website for my consulting business I suppose if Leo wishes he can post my website. A computer that you can not restore the OS on is useless. Computers are good at keeping track of things. They are like haystack and they can get messed up. If a computer will not keep track of its own self you know for sure something is not right. Its up to us as consumers to be sure our systems can keep track of their own selves and its up to us consumers to be sure to only purchase computers that will do so. IF it does not you will be suffering with a slow and cumbersome time suck unless you put it in the landfill. Sorry but planned obsolescence is just not going to work forever – Manufactures need to create newer and better rather than allow the corporate machine to have its planned obsolescence way. Hopefully one day we can all feel as though we are on the same team. Never buy a car with a combination lock on the hood that the manufacturer can change without notice ! Not allowing us to clone our hard drives is no different.
You can build your own computer, so you get full control of the UEFI / BIOS. But everyone can not or will not, so it’s a problem if you have to do a clean re-installation or need to use any other os.
The backups I’ve been doing are basically a waste of time (and money) since I can’t get the computer to boot from them.
Two points re booting from and reinstalling from backups. (1) SURELY Microsoft’s own backup will have been crafted to get round the UEFI boot problem, and maybe that is one reason for biting the bullet and using their backup? (2) There’s nothing I’ve seen from Acronis (the backup I use) in connection with this issue, so is it in fact a problem? Does Jerry’s boot problem have another cause?
Hardly a waste. Worst case you can use them to retrieve files – that doesn’t require a reboot. But definitely contact your computer manufacturer to see how to reboot from something other than the internal hard drive.
Often, UEFI will lock an hd if it is the system disk, and is not booting from it. This lock can take several forms such as forcing read-only mounts, switching the frozen flag, etc.. hdparm takes out the freeze (or doing a quick suspend/resume), and if you can switch on UEFI option for setup mode (AND disabling secure boot) or clear tpm (back up a tpm dump first)…
Some UEFI even caches the ‘registered’ boot EFI image (will boot without any disks.. I suppose this is the basis for secure boot, along with signatures…)
I used acronis 2013 to make an image of my drive. Somehow the drive was converted to GPT. I pulled the drive out of the machine and restored the OS with a MBR on it. It would not boot BUT I was able to make it boot after putting my windows 7 install disk in and it fixed the MBR restore to match the new UEFI settings,
As a self-employed computer repair guy who works out of his spare bedroom, secure boot is SUCH a pain in the a***! It is an absolute nightmare and a complete waste of time (as in a literal time waster when I should be productive). Whenever I get a machine in to work on the very first thing I always to is to make a complete disk image using something like Macrium Reflect or Clonezilla, which I used to do in situ. Now, I either have to go through a long-winded, time-wasting process of booting into Windows > Recovery > Advanced Startup > Reboot to get into UEFI > alter settings and finally, I can boot from something else such as Macrium, Clonezilla, or even a Linux Live disc. Alternatively, I have to start removing the hard drive from the suspect computer and slave it to one of my bench machines to image it.
Secure boot was obviously designed/invented by some numpty who has never had to repair a computer before and I would happily show him/her the error of their ways if the opportunity ever came to pass! :-)
Sorry, I hit the ‘post comment’ button before I’d finished.
I just wanted to say, plus all the bootable tools I have on various discs/USB flash drives etc. Secure boot has made life hell for technicians.
There you go, rant over :-D
I concur with these comments.
I believe that UEFI and Secure Boot should be a purchased option, so that the buyer has to pay to get his computer locked up by the vendor.
Firstly spot-on video Leo.
I fully concur with Herbie’s comments.
I’m going in circles trying to upgrade HDD to Hybrid drive on Lenovo laptop continually swapping the cloned new drive with the old drive. Added complication being that Acronis TI clone won’t boot because it is a dynamic partition and Acronis recommended procedure when installing dynamic partition is to use a backup to restore from but since the laptop has UEF it has to boot from the new drive without OS doesn’t it Catch 22
I have a car I will sell you with a combination lock on the hood – and for your protection I will change it for you without notice. But don’t worry I have another car Im happy to sell you if you throw that one in the landfill. Or if you want you can play with the combination lock for a few days if you want to – Ill give you the first 2 numbers. But I may change it at some point ( for your security ) We would not want anyone getting under your hood now would we. !
UEFI, put on by manufacturers, is great for selling new machines to replace the one you can’t easily or cheaply fix by rebooting to USB.
It should at least be disabled by default. If a corporation wants to set it they can, and set their own password to access it.
This is all done wrong at the expense of the individual user.
It’s a bit like having a portable safe. If I have physical access to the computer, I can just take it with me, then remove the hard drive and move it to another computer to access the data.
All the reasonable security we need can be implemented with a protected mode switch on the motherboard. In protected mode, you can’t alter the BIOS config (including boot sequence). Throw the switch and you can change anything. For every day operation, leave it protected so you don’t accidentally alter the config or boot from an infected device. if things are going wrong, flip the switch and get the computer back on its feet. It’s up to you to provide active malware protection by only booting from known good sources.
UEFI seems to have more benefits for Microsoft (by allowing configurations that only will boot from Windows) than it has for the end users. While in theory UEFI can be used to let older computers interface with newer technologies, I don’t see the hw manufacturers spending resources on such activities.
My guess is that in the end, UEFI will prevent more users from doing legitimate things than it prevents instances of malware.
THanks for explaining, BUT…the point in that many manufacturers do not indicate the way we can make back-ups and emergency CD so to be sure to succeed in booting in case the usual boot(by internal HD) dosen’t work!!!
I have a ASUS UEFI laptop and W8.1
I’ve made a USB backup which should give me the way to re-initialise my systeme, but I cannot be said how I could save my actual systeme….
Hi Leo, Thanks for the UEFI article. I have been reading articles related to changing the
boot sequence. This is the first article that directly relates to UEFI. I shall re-read
the comments after I send this
you may also be interested in this article, in the which we find that recently perhaps the Microsoft “golden key” has been compromised: https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface#Secure_boot_criticism
Then there’s this guy who quotes sources as saying that the newer BIOSes and UEFI are actually making remote hacking easier: https://www.schneier.com/blog/archives/2015/03/bios_hacking.html
my conclusion for my environment: I’m not going to get stressed out when windows 10 and newer computers order me to turn UEFI on (if I don’t want to).
Now I am totally confused . Why would someone want to unsecure their computer ? If the hard drive fails and
secure boot was not disabled before the death of the hard drive that means : ?????? All I know is that I wouldn’t
want someone coming in my house and getting into my computer . But the fact is that banks can be robbed , safes
can be cracked . Emails can be hacked and no one is safe !!! Why have a computer at all ? Or should I say : Don’t
possess things that other people could want . I think I like my Windows 8.1 computer the way it is . I have Cloud
storage ; I have an external hard drive ; and my personal files are password locked . I don’t care to go any further into
technology than that . It is enough to give anyone a headache .
I called Dell to ask them how to disable Secure Boot. Their attitude was, “Why would you want to do that”? I found the answer via google. Dell either would or could not tell me how. Second, it’s amazing how many people have backups but never test to see if the actually work. Unless they disable Secure Boot, the backup probably will not work.
Ever since Microsoft has been doing things to protect my computer, the only person it has ever kept out is ME. It reminds me of when car alarms first became popular and everyone was installing them in their cars, the only people who ever set them off (and annoyed the neighbors) was the owner, usually late night or early morning.
It seems strange to me that when I buy something for personal use, I have no say as to these “features” that I don’t want or need, and that do nothing but cause problems for me. Everything is decided for you whether it’s problematic for you or not.
Microsoft and computer manufacturers needs to learn the meaning of “Optional”.
What Microsoft and computer manufacturers do know is the meaning of the phrase ‘more money’. Every computer that ‘stops working’ due to UEFI or any other ‘security’ scheme is yet another computer and OS that has to be (unnecessarily) purchased. Which means ‘more money’ in their pockets, less in yours. As well, this forces users to ‘upgrade’ to the newer OS’s which also seem to have a lot of security ‘features’ that IMO only seem to exert more and more control the average users’ computer experience, all in the name of security.
They consider we use a computer to long. Or the technicians don’t have enough to do.
I hope when I have to replace my motherboard, I still will be able to boot into any OS I like.
I’m surprised someone else has not responded to say it “is” possible to get around the UEFI security. So let me be the first. A friend has a 2014 ASUS laptop without the internal CD/DVD drive. I created an image using Macrium Reflect (thanks for the suggestion, Leo) to an external hard drive and a REFLECT Rescue disc using an external CD/DVD drive. For this ASUS, I had to contact their service hotline to get the procedure since Googling yielded nothing. Wanting to be prepared for a hard drive crash I knew I did not want to have to set things up within Windows for a DVD boot, I have also been successful at getting around this problem with my HP Pavilion Elite HPE-380t desktop, my wife’s DELL Inspiron 3847 Desktop and my Microsoft Surface Pro. All of these came with the UEFI BIOS. I’d be happy to share those procedures also, if there is any interest. No two are the same.
Here is the procedure they gave me for the ASUS and I can tell you I have tried it and it worked without a hitch.
1. Plug in the External Hard Drive containing Image File(s).
2. Plug in the External DVD Drive and insert REFLECT
Rescue Disc. [Remember…this laptop has no DVD drive]
3. Power the computer off.
4. Disconnect the charger from the computer.
5. Press and hold the power button for 30 seconds or until you hear a click.
6. Release Power button and plug the charger back in.
7. Begin tapping F2 repeatedly and continue tapping
while pressing and releasing the power button.
Keep tapping until the BIOS screen appears.
8. In the BIOS, using arrow key, go to “BOOT”.
8. Go down to UEFI: [ext drive info] and press, together,
shift and + to move it up to Option 1.
9. Press F10 to exit and save.
Your computer should reboot and load the Macrium REFLECT
program from the DVD.
Once in the Macrium REFLECT program, click restore and
follow prompts for accessing your external hard drive and
selecting the image file you want to restore to your computer.
I can’t quite see the reason for disconnecting the external power supply, but hey – every manufacturer has its own way of doing things, and if that what is needed for the ASUS then so be it.
There are a number of YouTube videos that purport to demonstrate how to disable secure boot; such as:
https://www.youtube.com/watch?v=kydSQS9pZbc
https://www.youtube.com/watch?v=WWGlJVV3djw
I don’t know if I want to follow the instructions of a mumbler who can’t understand that holding a phone/camera in one hand while typing with the other is unlikely to result in an intelligible performance, but you may be more generous !
My take on all of this is
1) as a home user, the likelihood of someone wanting to surreptitiously access my PC is comfortably low, but the chances of its hard drive eventually dying of old age are uncomfortably high.
2) the time to do something about it is now, before I NEED to be able to boot from something else
3) but it’s not so urgent that I need to do it BEFORE I have backed up everything – just in case my reconfiguration results in the PC being unable to boot from ANYTHING in future
HI Leo i actually implemented secure boot on my machine by adding a TPM chip, i absolutely love the UEFI bios , thanks for asking and thanks for the video god bless.
Microsoft is evil. Microsoft is evil. Microsoft is evil.
They are no longer preventing usable updates to the software that you are required to have on your computer.
You either install all updates or no updates.
Now, they are doing their best to prevent you from using a competitor operating system, which is illegal.
If I manufacture soap, I cannot manufacturer a dishwasher that has a chip in it that checks to confirm that I am using soap bought from my company before it washes my dishes. That violates antitrust laws.
Certainly UEFI is legal if they give you the option to turn off this extra security, though it may be illegal to have the security on as the default. If you cannot turn off the extra security, it is illegal. Even if you can turn off the security, if they do not clearly tell you how to do it, that violates antitrust.
Instead of discussing the advantages of UEFI, which, for practical purposes, do not exist for home users, someone should be filing a class action lawsuit against Microsoft.
They know that, by implementing this new type of boot system, a significant percentage of users will replace their computer when something goes wrong, where, with a legitimate boot system, all they would need is to use some other disk to reboot their machine so that they could fix the problem.
This is not your typical case of discussing the pros and cons of an issue.
This is about recognizing that Microsoft is trying to control the world. This is serious. The entire world revolves around computers. To the extent that you can control computers, you can control the world.
Microsoft must be stopped.
Oh, and, did I mention that Microsoft is evil?
It is not Microsoft who created UEFI. Intel created it.
As a home user I want to disable UEFI quickly and easily. If someone gains access to my home computer, they’ve also got access to my worldly belongings like jewelry, stereo, camera, silverware, clothing, sporting goods, checkbook, credit cards, medications, furniture, etc etc. etc. Having UEFI secure my computer would be the least of my worries. Microsoft and all computer manufacturers need to let consumers decide how, when or if UEFI is enabled. Consumers should have the absolute right to opt in. Not go through a laundry list of steps to maybe disable UEFI.
You can’t disable UEFI, it is the firmware needed to boot up your computer. What I believe you mean is disable the Secure Boot feature of UEFI. This may seem like being picky over semantics, but using the correct terminology can be important in getting help with your computer problems.
I do agree with you over not needing Safe Boot protection. If someone steals your computer, all they have to do is remove the hard drive to get access to all of your data if it is not encrypted.
Strange as it may sound, if you are someone who actually knows about computer technology, here’s the thing, it’s putting the reigns so to speak on various others as to “What they can do, or what they cannot do”, and perhaps keeping tabs on them trying to change anything on their PC or usage of it.
Or I should say : “Preventing them from using software that Microsoft can’t take notes on”. And not : as you say, if you don’t buy a Digital Certificate from Microsoft then you can forget your software running on another’s PC if it requires a DRIVER BEING INSTALLED, but even worse it will crash the System and put the person’s system in repair mode if they try to do so without a digital signed certificate driver software.
Really makes a lot of software makers look bad. It used to be : “Anyone could write and code software for a PC, or Windows, Let the user DECIDE FOR THEMSELVES”, but now using Windows 10 it is according to Microsoft and their ASSOCIATES, AND YES MICROSOFT IS CONTROLLING WHO RUNS THEIR OPERATING SYSTEM NOW THEN : “You’d better pay us/microsoft to get a digital certificate or we will black list you, and if you don’t we still force people to use UEFI to where they have ::::: “NO CHOICE” but to bow down……….
At first I thought Windows 10 was great. But, I have noticed when restarting my PC as of late taking a long time, as though it’s either taking notes to relay later once an online connection happens or it’s sending that information.
The boot time on my NEW PC keeps taking forever to restart, I’m not a noob, I know about the start time selection OS stuff and other boot option.
What is going on there LEO? Is the boot scrubbing the hard drive to scrub it’s tracks with Microsoft’s intrusive spying? Or What’s up with the timing and such things, am I being followed with cookies and stuff and redirected based on my political opinions?
If your going to talk like you know so much, first you need to get ALL OF THE FACTS as to what’s going on.
If you watch the NEWS and how Wiki Leaks keeps releasing the DNC getting hacked, it makes you wonder just how secure Windows 10 is and WHAT INFORMATION THEY ARE GATHERING FOR THEMSELVES……………. It’s a SERIOUS ISSUE………
What do you think LEO?
I don’t know whether Leo will respond to Bob’s comments, but I can observe that the long startup and shutdown times for Win10 are directly related to, and usually caused by, the massive updates they have pushed lately. And I noticed just recently that I can’t even specify a time to restart. Windows restarts after updates whenever it darn well wants to, and the option to control restart times is permanently grayed out. This evidently was caused by one of their “improvements.” As a result, I get reboots unexpectedly and I lose work as a result. About UEFI, the above problems haven’t arisen for me because I always build my own desktops, and my Dell laptop thankfully has a conventional BIOS. The biggest problem I have had with machines with UEFI is that I can’t find a way to specify which hard drive to boot from. The legacy BIOSes had a “choose boot sequence” plus an option to place the hard drives in whatever order you wanted in that sequence. UEFI BIOSes that I have give exactly one choice of a hard drive and it’s chosen by the BIOS. If I change boot drives, in a multi-HD machine I have to unplug all the drives except the one I want to boot from, boot from that (since it’s the only choice it has then), replace the other drives and hope the BIOS remembers to boot from that same drive. Sometimes it does, sometimes not, and I never know why, or how it determines what to boot from. In some BIOSes you can hold down a key during boot to get a “boot menu,” but it just lets one choose a boot drive for that one restart, not permanently. Googling and asking Leo about this in the past has produced zero results. It has gotten to the point that I don’t buy a motherboard with UEFI if I can possibly help it.
A few observations: First, MS and Intel do give you a choice to have some level of control over UEFI settings – all you have to do is pay more money and buy a high end computer with a “professional/enterprise” version of the OS. That’s not to say that the settings will be easy to change or that MS won’t reset them with every update, but at least you can feel good that you have some “control”.
Second, the notion that one reason for UEFI was for better computer security is hogwash. The fact is that code (software) can be executed directly under UEFI, by-passing the OS and not even waiting for the OS to boot. If some hacker hasn’t already figured out how to exploit this, it’s only a matter of time. This suggests that your malware scanner running in the OS can become irrelevant, but you’ll happily pay for new UEFI malware scanners.
Third, there is one technically viable (good) aspect of UEFI design that, if implemented, can streamline the mess of dealing with device drivers in the OS. The UEFI concept can provide an interface layer between the OS and hardware, so that device-specific drivers would be provided by the hardware manufacture and the OS interfaces with the UEFI using a standardized protocol that’s not dependent on machine devices. Of course, this also means that the H/W manufacturer can control what devices you can connect to your computer. It also means that device manufacturers must pay the computer manufacturer if they want their products to be compatible. As you might expect, this device interface concept will take years to implement uniformly and in the mean time you’re likely to have a new mess in dealing with device drivers.
Finally, all this is not exactly new. Apple has been using UEFI/EFI and has successfully locked in its customer base, as well as its device suppliers. So, if it’s good enough for Apple, it’s good for MS. Do you see the money motivation in all this? For every good technical idea that an engineer comes up with, the bean counter boss will ask for a hook that can ensure a on-going income stream. This is not a conspiracy, just business.
Hi Leo UEFI looks an seems important now since it has replaced the Bios stystem on machines You gave a great understanding of it i am wondering if you could do a video or a article on Safe Mode on Windows. What is safe mode when should you use it or how you use safemode what not to do on Safe mode on your Computer
LEO,
Your UEFI video only considered computers that were manufactured by a company,
with no consideration to the many computers either home-built or custom-built.
So, I have no clue as to what these “independently-made” computers have in the way of boot restrictions, if any.
Please address this area of concern.
Alan
There’s no way for me to know. Each independent builder can make their own choices as to what to do or how to do it. You’d need to check with the builder you purchased from.
Can we say the boundary of UEFI’s protection against physical presence attack is on opening the case? If the attacker can open the case and take your hard disk out, that’s no longer UEFI or Secure Boot is designed to protect. That should be in the scope of disk encryption or something else.
So we assume the attacker can only access keyboard, mouse, USB ports and the power button, right? UEFI is protecting the system from booting with different devices at will. Comparing to the traditional BIOS password, we have to change that when we are booting the system while network is not ready yet, which is hard to do it remotely. But with UEFI, we can change its setting in the operating system, when we are already considered authorized, to change the behavior in next boot. Is that right?
That sure looks correct to me. UEFI makes ransonware much more effective.
It looks to me, one more way Microsoft tells you what to do, and they give you no way to change the OS to what you want, like Linux Mint….How would you know this BEFORE you buy a laptop? Just think about buying one online, and finding this out..you would never get that straightened out..and I think it would be very hard to swap it out….and of course you would loose your warranty too..Bill is what, a billionaire over like 5 times…
K
This is not a Microsoft initiative. It’s industry-wide, and I believe originated at Intel. Bill has nothing to do with it.
Funny enough with all the problems that Intel is having recently with CPU insecurity are we sure that UEFI is actually a good idea or not. Intel wanted UEFI so that the network was active before the OS had started so it could be accessed by certain parties – Intel being one of them for updates and also certain security forces in the USA.
Just as a matter of fact I use a laptop purchased from PC Specialist website in the UK which provide custom laptops and because I was going to install Linux I went for the no OS Option but it came with Windows 10 home anyway luckily for me either they intentionally didn’t switch on secure boot or forgot to enable it, I prefer to think they intentionally didn’t switch it on !
Using Linux I have no interest in using the UEFI BIOS and it functions perfectly well with its i7-6700K CPU and GTX1080 GPU although sometime I wonder if I should have gone for 32GB Ram option instead of the 16GB that I chose !
For me personally I prefer not to ever use UEFI because I am a Techie I do not want to be locked out of accessing my own hardware if something goes wrong. Do I think it is good for the general home user population – Hmmm Since the insecurity situation with Intel CPU’s lately I have to say no, UEFI is not good for the general population and also someone did mention what would happen if a malware were to use Win 10’s option of unlocking the UEFI BIOS that again rings alarm bells in my head. I am sure there are Win 10 Techie users who will swear on the mothers life that this is impossible but they probably never thought that Intel would have the Insecurity situation thats been happening to their X86 CPU’s lately either !
Yes I am aware that some of these insecurity flaws are also on AMD CPU’s but not as many as on Intel’s !
But that could also be a way of driving up sales by making older PC’s that are not being patched now will have to be replaced – Hopefully by an AMD CPU – lol.
Hello Leo, getting back to your video you did 2 years ago – you stated that you couldn’t get into the bios on your surface po/ epic reviews teck did a video in regarding this issue.
Simple , all you do is
1 make sure the machine is off/ 2 press and hold the up volume button / 3 while holding the volume up button press the power button / the machine should boot up into the limited bios menu hope this helps
Cheers
If UEFI is so troublesome why not convert to Legacy AOEMI?
AOMEI is a Chinese software company which makes backup and partitioning software. I think you mean BIOS. I did that on one machine which was causing me problems with UEFI. I don’t think I need that kind of protection on my home computer.
Not all machines CAN be reverted. There must be a BIOS made available for the machine. (And in some cases I believe there are hardware interactions and dependancies that would render it impossible.)
UEFI wasn’t made for us, it was built around the secure boot option to enable manufacturers lock down the computers so we can’t change them.
Yes, UEFI is a pain in the arse. can dsable secure boot, but still can switch it to legacy boot. I did manage to remove the hard drive and put it in another system and used Linux to blow it away.
When I put it back in, it insisted on using a Windows Boot manager, which I found on a hidden hard drive. Removing that drive solves the problem. I now have UBUNTU installed on it. Although the manufacturer also wanted my serial number before they would give any report, and that’s not an option either.
Why would I want to sit like an idiot mindlessly listening to a recording? I can read an article about it in a minute or a minute and a half. I’m a fast reader and I don’t want to sit and listen to someone very slowly talk about the introduction to the problem then finally get to the meat of the matter where you get the whole thing in 30 seconds. In most of the recordings and videos I’ve listened to, the person explains and explains and talks about what he’s going to talk about, then finally, at the end, tells you what you want to know. What a waste of time.
All of the Ask Leo! videos come with a transcript button.
I take it you didn’t notice the big blue transcript button.
I operate with secure boot disabled, but I recall having a problem with a customer’s new Lenovo tower on windows 10 where he could not run Acronis backup properly and could not boot from the emergency disk to restore a backup, even with secure boot disabled. I called Lenovo support who could not fix the problem and sold us restore disks to start over (what fun!). Problem was that the restore disks wouldn’t work either. I finally figured out that the BIOS was defective when I couldn’t even update it as a last resort. With secure boot disabled, I found a setting where I could switch it to a legacy BIOS. Once I did that, the machine ran perfectly and would boot from any device I wanted. I restored from the restore disks and left it on that legacy setting for the customer so he could take charge of his backups.
I’ve read the transcription, I’ve read the comments, and nowhere do I see my question addressed:
Which is:
If we need to be in Windows to get to UEFI (to disable Secure Boot, to boot from a CD or USB device, etc) BUT WINDOWS IS BROKEN, what then?
Catch-22?
Or am I forgetting something simple? (Not for the first time.)
This is why I mentioned that it varies based on the computer and manufacturer. Many — though not all — have a keyboard approach to entering the UEFI without needing Windows to be involved to begin with. So contact your computer’s manufacturer for the instructions foo your machine.
The IBM PC arrived in 1981. This video was released in 2016. At that point, the BIOS was 35 years old, not 25.
The first BIOS, for CP/M, arrived in 1975. (I was a network admin before the IBM PC arrived…)
So Microsoft didn’t actually sell Leo a Surface, they maintained ownership and rented it to him.
The good news is that you can boot Ubuntu Linux on a PC with secure boot enabled, if the UEFI is well written.