Become a Patron of Ask Leo! and go ad-free!


Show Transcript

Podcast audio


58 comments on “Why UEFI?”

  1. Interesting but we are starting to feel impact of this. In theory, this is NOT a Microsoft thing but it is. Microsoft originally stated that UEFI firmware should have a way to disable Secure Boot. They have changed their tune and manufacturers have been told it they allow secure boot to be disabled, they won’t qualify for inexpensive OEM versions of the Windows operating system. I run Windows on many machines at home but I have to run Linux on at least 3 machines. My wife’s laptop (that absolutely must run Linux for her job) was old enough that it still had the option to disable secure boot.

      • I acknowledge lots of Ray’s comments. I haven’t gotten around to trying the provided link. (And the machine in question is now very low on my list of priorities … it sits quietly in a corner just doing its job.)

  2. How does UEFI affect backups? There doesn’t seem to be much point in doing an image backup if UEFI prevents the rescue disc being used.

    • That’s one thing which concerns me too. I think I could work around it, but not without another computer and some disk swapping. A process not for the average user.

    • It’s definitely something you want to test and/or understand about your machine. Understanding how – or even if – you can boot from a CD/DVD is critical come recovery time. (Most backup programs have properly signed / authorized rescue media.)

  3. One thing I don’t understand about Secure Boot is why it exists. On older BIOS systems, the user could set a BIOS password. A password either to restrict access to the machine or to restrict access to changing the BIOS settings which included changing the boot order. This in itself caused some problems as I’ve seen many questions from people about forgotten passwords or second hand machines.

    I can understand the need to update the process, 25 year old firmware definitely does not do justice to the capabilities of modern machines, but the older BIOS system had the potential to be just as secure. The main difference now is that it defaults to secure boot, but as Leo said, for most home users, that might not be what people want. And if you don’t disable Secure Boot when your computer is able to run, you won’t be able to use a bootable rescue disk to restore your computer to working order in case of a disk failure or damage. This would apply to backups as well as reinstalling your OS through installation media.

    Additionally, unless you use encryption, someone can still walk up to your computer, take the drive out and access the files via another computer.

    • Setting the BIOS password was not very effective except to keep average users out. Any tech worth a hoot is capable of moving a jumper on the mainboard to reset the BIOS to default settings, eliminating the password requirement. Getting into or resetting UEFI settings is a whole lot more problematic, and differs from manufacturer to manufacturer.

      • Actually not all motherboards have those jumpers. I’ve heard from several people permanently locked out of a computer because there’s a BIOS password they don’t know and no way to reset it.

        • I have found that a BIOS password can be reset, without a $250.00 payment to Toshiba in this case, by shorting two points on the motherboard while booting up. The password is stored in “flash memory” and can only be reset by running the BIOS with the two points shorted, which directs the BIOS to erase the password. (TRUE: Toshiba wanted $250.00 to perform this operation, and would not even give Staples (their vendor) the information. The Laptop was purchased new for $450.) Note that the two points are accessible without removing the RAM, since the BIOS needs to run to accomplish the reset.

          • Note also that this may or may not apply to other manufacturers, or even different models from the same manufacturer. This is HIGHLY hardware dependent.

    • If the BIOS is password protected, no one can change the boot sequence. Anyone can still pull the drive out and access all the data with BIOS or UEFI, therefore both are pretty weak layers of protection.

  4. You can build your own computer, so you get full control of the UEFI / BIOS. But everyone can not or will not, so it’s a problem if you have to do a clean re-installation or need to use any other os.

  5. The backups I’ve been doing are basically a waste of time (and money) since I can’t get the computer to boot from them.

    • Two points re booting from and reinstalling from backups. (1) SURELY Microsoft’s own backup will have been crafted to get round the UEFI boot problem, and maybe that is one reason for biting the bullet and using their backup? (2) There’s nothing I’ve seen from Acronis (the backup I use) in connection with this issue, so is it in fact a problem? Does Jerry’s boot problem have another cause?

    • Hardly a waste. Worst case you can use them to retrieve files – that doesn’t require a reboot. But definitely contact your computer manufacturer to see how to reboot from something other than the internal hard drive.

    • Often, UEFI will lock an hd if it is the system disk, and is not booting from it. This lock can take several forms such as forcing read-only mounts, switching the frozen flag, etc.. hdparm takes out the freeze (or doing a quick suspend/resume), and if you can switch on UEFI option for setup mode (AND disabling secure boot) or clear tpm (back up a tpm dump first)…
      Some UEFI even caches the ‘registered’ boot EFI image (will boot without any disks.. I suppose this is the basis for secure boot, along with signatures…)

    • I used acronis 2013 to make an image of my drive. Somehow the drive was converted to GPT. I pulled the drive out of the machine and restored the OS with a MBR on it. It would not boot BUT I was able to make it boot after putting my windows 7 install disk in and it fixed the MBR restore to match the new UEFI settings,

  6. As a self-employed computer repair guy who works out of his spare bedroom, secure boot is SUCH a pain in the a***! It is an absolute nightmare and a complete waste of time (as in a literal time waster when I should be productive). Whenever I get a machine in to work on the very first thing I always to is to make a complete disk image using something like Macrium Reflect or Clonezilla, which I used to do in situ. Now, I either have to go through a long-winded, time-wasting process of booting into Windows > Recovery > Advanced Startup > Reboot to get into UEFI > alter settings and finally, I can boot from something else such as Macrium, Clonezilla, or even a Linux Live disc. Alternatively, I have to start removing the hard drive from the suspect computer and slave it to one of my bench machines to image it.

    Secure boot was obviously designed/invented by some numpty who has never had to repair a computer before and I would happily show him/her the error of their ways if the opportunity ever came to pass! 🙂

    • Sorry, I hit the ‘post comment’ button before I’d finished.

      I just wanted to say, plus all the bootable tools I have on various discs/USB flash drives etc. Secure boot has made life hell for technicians.

      There you go, rant over 😀

      • I concur with these comments.
        I believe that UEFI and Secure Boot should be a purchased option, so that the buyer has to pay to get his computer locked up by the vendor.

      • Firstly spot-on video Leo.

        I fully concur with Herbie’s comments.

        I’m going in circles trying to upgrade HDD to Hybrid drive on Lenovo laptop continually swapping the cloned new drive with the old drive. Added complication being that Acronis TI clone won’t boot because it is a dynamic partition and Acronis recommended procedure when installing dynamic partition is to use a backup to restore from but since the laptop has UEF it has to boot from the new drive without OS doesn’t it Catch 22

    • UEFI, put on by manufacturers, is great for selling new machines to replace the one you can’t easily or cheaply fix by rebooting to USB.
      It should at least be disabled by default. If a corporation wants to set it they can, and set their own password to access it.
      This is all done wrong at the expense of the individual user.

  7. It’s a bit like having a portable safe. If I have physical access to the computer, I can just take it with me, then remove the hard drive and move it to another computer to access the data.

    All the reasonable security we need can be implemented with a protected mode switch on the motherboard. In protected mode, you can’t alter the BIOS config (including boot sequence). Throw the switch and you can change anything. For every day operation, leave it protected so you don’t accidentally alter the config or boot from an infected device. if things are going wrong, flip the switch and get the computer back on its feet. It’s up to you to provide active malware protection by only booting from known good sources.

    UEFI seems to have more benefits for Microsoft (by allowing configurations that only will boot from Windows) than it has for the end users. While in theory UEFI can be used to let older computers interface with newer technologies, I don’t see the hw manufacturers spending resources on such activities.

    My guess is that in the end, UEFI will prevent more users from doing legitimate things than it prevents instances of malware.

  8. “This is actually something that’s implemented by the hardware manufacturers that is something that is implemented in the BIOS that is in the all of these machines in UEFI BIOS that’s in all these machines.”
    That’s easy for you to say. lol

  9. THanks for explaining, BUT…the point in that many manufacturers do not indicate the way we can make back-ups and emergency CD so to be sure to succeed in booting in case the usual boot(by internal HD) dosen’t work!!!
    I have a ASUS UEFI laptop and W8.1
    I’ve made a USB backup which should give me the way to re-initialise my systeme, but I cannot be said how I could save my actual systeme….

  10. Hi Leo, Thanks for the UEFI article. I have been reading articles related to changing the
    boot sequence. This is the first article that directly relates to UEFI. I shall re-read
    the comments after I send this

  11. you may also be interested in this article, in the which we find that recently perhaps the Microsoft “golden key” has been compromised: https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface#Secure_boot_criticism

    Then there’s this guy who quotes sources as saying that the newer BIOSes and UEFI are actually making remote hacking easier: https://www.schneier.com/blog/archives/2015/03/bios_hacking.html

    my conclusion for my environment: I’m not going to get stressed out when windows 10 and newer computers order me to turn UEFI on (if I don’t want to).

  12. Now I am totally confused . Why would someone want to unsecure their computer ? If the hard drive fails and
    secure boot was not disabled before the death of the hard drive that means : ?????? All I know is that I wouldn’t
    want someone coming in my house and getting into my computer . But the fact is that banks can be robbed , safes
    can be cracked . Emails can be hacked and no one is safe !!! Why have a computer at all ? Or should I say : Don’t
    possess things that other people could want . I think I like my Windows 8.1 computer the way it is . I have Cloud
    storage ; I have an external hard drive ; and my personal files are password locked . I don’t care to go any further into
    technology than that . It is enough to give anyone a headache .

  13. I called Dell to ask them how to disable Secure Boot. Their attitude was, “Why would you want to do that”? I found the answer via google. Dell either would or could not tell me how. Second, it’s amazing how many people have backups but never test to see if the actually work. Unless they disable Secure Boot, the backup probably will not work.

  14. Ever since Microsoft has been doing things to protect my computer, the only person it has ever kept out is ME. It reminds me of when car alarms first became popular and everyone was installing them in their cars, the only people who ever set them off (and annoyed the neighbors) was the owner, usually late night or early morning.

    It seems strange to me that when I buy something for personal use, I have no say as to these “features” that I don’t want or need, and that do nothing but cause problems for me. Everything is decided for you whether it’s problematic for you or not.

    Microsoft and computer manufacturers needs to learn the meaning of “Optional”.

    • What Microsoft and computer manufacturers do know is the meaning of the phrase ‘more money’. Every computer that ‘stops working’ due to UEFI or any other ‘security’ scheme is yet another computer and OS that has to be (unnecessarily) purchased. Which means ‘more money’ in their pockets, less in yours. As well, this forces users to ‘upgrade’ to the newer OS’s which also seem to have a lot of security ‘features’ that IMO only seem to exert more and more control the average users’ computer experience, all in the name of security.

  15. They consider we use a computer to long. Or the technicians don’t have enough to do.
    I hope when I have to replace my motherboard, I still will be able to boot into any OS I like.

  16. I’m surprised someone else has not responded to say it “is” possible to get around the UEFI security. So let me be the first. A friend has a 2014 ASUS laptop without the internal CD/DVD drive. I created an image using Macrium Reflect (thanks for the suggestion, Leo) to an external hard drive and a REFLECT Rescue disc using an external CD/DVD drive. For this ASUS, I had to contact their service hotline to get the procedure since Googling yielded nothing. Wanting to be prepared for a hard drive crash I knew I did not want to have to set things up within Windows for a DVD boot, I have also been successful at getting around this problem with my HP Pavilion Elite HPE-380t desktop, my wife’s DELL Inspiron 3847 Desktop and my Microsoft Surface Pro. All of these came with the UEFI BIOS. I’d be happy to share those procedures also, if there is any interest. No two are the same.

    Here is the procedure they gave me for the ASUS and I can tell you I have tried it and it worked without a hitch.

    1. Plug in the External Hard Drive containing Image File(s).
    2. Plug in the External DVD Drive and insert REFLECT
    Rescue Disc. [Remember…this laptop has no DVD drive]
    3. Power the computer off.
    4. Disconnect the charger from the computer.
    5. Press and hold the power button for 30 seconds or until you hear a click.
    6. Release Power button and plug the charger back in.
    7. Begin tapping F2 repeatedly and continue tapping
    while pressing and releasing the power button.
    Keep tapping until the BIOS screen appears.
    8. In the BIOS, using arrow key, go to “BOOT”.
    8. Go down to UEFI: [ext drive info] and press, together,
    shift and + to move it up to Option 1.
    9. Press F10 to exit and save.

    Your computer should reboot and load the Macrium REFLECT
    program from the DVD.

    Once in the Macrium REFLECT program, click restore and
    follow prompts for accessing your external hard drive and
    selecting the image file you want to restore to your computer.

    • I can’t quite see the reason for disconnecting the external power supply, but hey – every manufacturer has its own way of doing things, and if that what is needed for the ASUS then so be it.

      There are a number of YouTube videos that purport to demonstrate how to disable secure boot; such as:
      I don’t know if I want to follow the instructions of a mumbler who can’t understand that holding a phone/camera in one hand while typing with the other is unlikely to result in an intelligible performance, but you may be more generous !

      My take on all of this is
      1) as a home user, the likelihood of someone wanting to surreptitiously access my PC is comfortably low, but the chances of its hard drive eventually dying of old age are uncomfortably high.
      2) the time to do something about it is now, before I NEED to be able to boot from something else
      3) but it’s not so urgent that I need to do it BEFORE I have backed up everything – just in case my reconfiguration results in the PC being unable to boot from ANYTHING in future

  17. HI Leo i actually implemented secure boot on my machine by adding a TPM chip, i absolutely love the UEFI bios , thanks for asking and thanks for the video god bless.

  18. Microsoft is evil. Microsoft is evil. Microsoft is evil.
    They are no longer preventing usable updates to the software that you are required to have on your computer.
    You either install all updates or no updates.
    Now, they are doing their best to prevent you from using a competitor operating system, which is illegal.
    If I manufacture soap, I cannot manufacturer a dishwasher that has a chip in it that checks to confirm that I am using soap bought from my company before it washes my dishes. That violates antitrust laws.
    Certainly UEFI is legal if they give you the option to turn off this extra security, though it may be illegal to have the security on as the default. If you cannot turn off the extra security, it is illegal. Even if you can turn off the security, if they do not clearly tell you how to do it, that violates antitrust.
    Instead of discussing the advantages of UEFI, which, for practical purposes, do not exist for home users, someone should be filing a class action lawsuit against Microsoft.
    They know that, by implementing this new type of boot system, a significant percentage of users will replace their computer when something goes wrong, where, with a legitimate boot system, all they would need is to use some other disk to reboot their machine so that they could fix the problem.
    This is not your typical case of discussing the pros and cons of an issue.
    This is about recognizing that Microsoft is trying to control the world. This is serious. The entire world revolves around computers. To the extent that you can control computers, you can control the world.
    Microsoft must be stopped.
    Oh, and, did I mention that Microsoft is evil?

  19. As a home user I want to disable UEFI quickly and easily. If someone gains access to my home computer, they’ve also got access to my worldly belongings like jewelry, stereo, camera, silverware, clothing, sporting goods, checkbook, credit cards, medications, furniture, etc etc. etc. Having UEFI secure my computer would be the least of my worries. Microsoft and all computer manufacturers need to let consumers decide how, when or if UEFI is enabled. Consumers should have the absolute right to opt in. Not go through a laundry list of steps to maybe disable UEFI.

    • You can’t disable UEFI, it is the firmware needed to boot up your computer. What I believe you mean is disable the Secure Boot feature of UEFI. This may seem like being picky over semantics, but using the correct terminology can be important in getting help with your computer problems.

      I do agree with you over not needing Safe Boot protection. If someone steals your computer, all they have to do is remove the hard drive to get access to all of your data if it is not encrypted.

  20. Strange as it may sound, if you are someone who actually knows about computer technology, here’s the thing, it’s putting the reigns so to speak on various others as to “What they can do, or what they cannot do”, and perhaps keeping tabs on them trying to change anything on their PC or usage of it.

    Or I should say : “Preventing them from using software that Microsoft can’t take notes on”. And not : as you say, if you don’t buy a Digital Certificate from Microsoft then you can forget your software running on another’s PC if it requires a DRIVER BEING INSTALLED, but even worse it will crash the System and put the person’s system in repair mode if they try to do so without a digital signed certificate driver software.

    Really makes a lot of software makers look bad. It used to be : “Anyone could write and code software for a PC, or Windows, Let the user DECIDE FOR THEMSELVES”, but now using Windows 10 it is according to Microsoft and their ASSOCIATES, AND YES MICROSOFT IS CONTROLLING WHO RUNS THEIR OPERATING SYSTEM NOW THEN : “You’d better pay us/microsoft to get a digital certificate or we will black list you, and if you don’t we still force people to use UEFI to where they have ::::: “NO CHOICE” but to bow down……….

    At first I thought Windows 10 was great. But, I have noticed when restarting my PC as of late taking a long time, as though it’s either taking notes to relay later once an online connection happens or it’s sending that information.

    The boot time on my NEW PC keeps taking forever to restart, I’m not a noob, I know about the start time selection OS stuff and other boot option.

    What is going on there LEO? Is the boot scrubbing the hard drive to scrub it’s tracks with Microsoft’s intrusive spying? Or What’s up with the timing and such things, am I being followed with cookies and stuff and redirected based on my political opinions?

    If your going to talk like you know so much, first you need to get ALL OF THE FACTS as to what’s going on.

    If you watch the NEWS and how Wiki Leaks keeps releasing the DNC getting hacked, it makes you wonder just how secure Windows 10 is and WHAT INFORMATION THEY ARE GATHERING FOR THEMSELVES……………. It’s a SERIOUS ISSUE………

    What do you think LEO?

  21. I don’t know whether Leo will respond to Bob’s comments, but I can observe that the long startup and shutdown times for Win10 are directly related to, and usually caused by, the massive updates they have pushed lately. And I noticed just recently that I can’t even specify a time to restart. Windows restarts after updates whenever it darn well wants to, and the option to control restart times is permanently grayed out. This evidently was caused by one of their “improvements.” As a result, I get reboots unexpectedly and I lose work as a result. About UEFI, the above problems haven’t arisen for me because I always build my own desktops, and my Dell laptop thankfully has a conventional BIOS. The biggest problem I have had with machines with UEFI is that I can’t find a way to specify which hard drive to boot from. The legacy BIOSes had a “choose boot sequence” plus an option to place the hard drives in whatever order you wanted in that sequence. UEFI BIOSes that I have give exactly one choice of a hard drive and it’s chosen by the BIOS. If I change boot drives, in a multi-HD machine I have to unplug all the drives except the one I want to boot from, boot from that (since it’s the only choice it has then), replace the other drives and hope the BIOS remembers to boot from that same drive. Sometimes it does, sometimes not, and I never know why, or how it determines what to boot from. In some BIOSes you can hold down a key during boot to get a “boot menu,” but it just lets one choose a boot drive for that one restart, not permanently. Googling and asking Leo about this in the past has produced zero results. It has gotten to the point that I don’t buy a motherboard with UEFI if I can possibly help it.

  22. A few observations: First, MS and Intel do give you a choice to have some level of control over UEFI settings – all you have to do is pay more money and buy a high end computer with a “professional/enterprise” version of the OS. That’s not to say that the settings will be easy to change or that MS won’t reset them with every update, but at least you can feel good that you have some “control”.

    Second, the notion that one reason for UEFI was for better computer security is hogwash. The fact is that code (software) can be executed directly under UEFI, by-passing the OS and not even waiting for the OS to boot. If some hacker hasn’t already figured out how to exploit this, it’s only a matter of time. This suggests that your malware scanner running in the OS can become irrelevant, but you’ll happily pay for new UEFI malware scanners.

    Third, there is one technically viable (good) aspect of UEFI design that, if implemented, can streamline the mess of dealing with device drivers in the OS. The UEFI concept can provide an interface layer between the OS and hardware, so that device-specific drivers would be provided by the hardware manufacture and the OS interfaces with the UEFI using a standardized protocol that’s not dependent on machine devices. Of course, this also means that the H/W manufacturer can control what devices you can connect to your computer. It also means that device manufacturers must pay the computer manufacturer if they want their products to be compatible. As you might expect, this device interface concept will take years to implement uniformly and in the mean time you’re likely to have a new mess in dealing with device drivers.

    Finally, all this is not exactly new. Apple has been using UEFI/EFI and has successfully locked in its customer base, as well as its device suppliers. So, if it’s good enough for Apple, it’s good for MS. Do you see the money motivation in all this? For every good technical idea that an engineer comes up with, the bean counter boss will ask for a hook that can ensure a on-going income stream. This is not a conspiracy, just business.

  23. Hi Leo UEFI looks an seems important now since it has replaced the Bios stystem on machines You gave a great understanding of it i am wondering if you could do a video or a article on Safe Mode on Windows. What is safe mode when should you use it or how you use safemode what not to do on Safe mode on your Computer

  24. LEO,
    Your UEFI video only considered computers that were manufactured by a company,
    with no consideration to the many computers either home-built or custom-built.
    So, I have no clue as to what these “independently-made” computers have in the way of boot restrictions, if any.

    Please address this area of concern.

    • There’s no way for me to know. Each independent builder can make their own choices as to what to do or how to do it. You’d need to check with the builder you purchased from.

  25. Can we say the boundary of UEFI’s protection against physical presence attack is on opening the case? If the attacker can open the case and take your hard disk out, that’s no longer UEFI or Secure Boot is designed to protect. That should be in the scope of disk encryption or something else.
    So we assume the attacker can only access keyboard, mouse, USB ports and the power button, right? UEFI is protecting the system from booting with different devices at will. Comparing to the traditional BIOS password, we have to change that when we are booting the system while network is not ready yet, which is hard to do it remotely. But with UEFI, we can change its setting in the operating system, when we are already considered authorized, to change the behavior in next boot. Is that right?

  26. It looks to me, one more way Microsoft tells you what to do, and they give you no way to change the OS to what you want, like Linux Mint….How would you know this BEFORE you buy a laptop? Just think about buying one online, and finding this out..you would never get that straightened out..and I think it would be very hard to swap it out….and of course you would loose your warranty too..Bill is what, a billionaire over like 5 times…


      • Funny enough with all the problems that Intel is having recently with CPU insecurity are we sure that UEFI is actually a good idea or not. Intel wanted UEFI so that the network was active before the OS had started so it could be accessed by certain parties – Intel being one of them for updates and also certain security forces in the USA.
        Just as a matter of fact I use a laptop purchased from PC Specialist website in the UK which provide custom laptops and because I was going to install Linux I went for the no OS Option but it came with Windows 10 home anyway luckily for me either they intentionally didn’t switch on secure boot or forgot to enable it, I prefer to think they intentionally didn’t switch it on !
        Using Linux I have no interest in using the UEFI BIOS and it functions perfectly well with its i7-6700K CPU and GTX1080 GPU although sometime I wonder if I should have gone for 32GB Ram option instead of the 16GB that I chose !
        For me personally I prefer not to ever use UEFI because I am a Techie I do not want to be locked out of accessing my own hardware if something goes wrong. Do I think it is good for the general home user population – Hmmm Since the insecurity situation with Intel CPU’s lately I have to say no, UEFI is not good for the general population and also someone did mention what would happen if a malware were to use Win 10’s option of unlocking the UEFI BIOS that again rings alarm bells in my head. I am sure there are Win 10 Techie users who will swear on the mothers life that this is impossible but they probably never thought that Intel would have the Insecurity situation thats been happening to their X86 CPU’s lately either !
        Yes I am aware that some of these insecurity flaws are also on AMD CPU’s but not as many as on Intel’s !
        But that could also be a way of driving up sales by making older PC’s that are not being patched now will have to be replaced – Hopefully by an AMD CPU – lol.

  27. Hello Leo, getting back to your video you did 2 years ago – you stated that you couldn’t get into the bios on your surface po/ epic reviews teck did a video in regarding this issue.
    Simple , all you do is
    1 make sure the machine is off/ 2 press and hold the up volume button / 3 while holding the volume up button press the power button / the machine should boot up into the limited bios menu hope this helps

    • AOMEI is a Chinese software company which makes backup and partitioning software. I think you mean BIOS. I did that on one machine which was causing me problems with UEFI. I don’t think I need that kind of protection on my home computer.

      • Not all machines CAN be reverted. There must be a BIOS made available for the machine. (And in some cases I believe there are hardware interactions and dependancies that would render it impossible.)

Leave a reply: