Become a Patron of Ask Leo! and go ad-free!
Why, UEFI? Hi, everyone! Leo Notenboom for askleo.com. One of the really common frustrations I hear from people is their attempt to reboot their computer from something other than its internal hard disk – CD or DVD or more recently, USB sticks.
The issue is with newer machines that come with what’s called the UEFI BIOS replacement. Technically, it’s just UEFI but I think everybody more or less refers to it as the UEFI BIOS. BIOS is the software that is actually on your machine the instant you turn it on. It’s the software that is in charge of starting the thing up; booting the machine; knowing how to load the initial operating machine or whatever.
UEFI is a replacement for the original BIOS that’s been with us for probably a quarter of a century. UEFI allows the manufacturers to take more advantage of the capabilities of their machine; capabilities that just didn’t exist 25 years ago. So, one of the things that they’ve done, actually, a couple of the things that they’ve done, have been to increase the security associated with rebooting your machine.
It boils down to a couple of different problems. The most interesting problem, the most risky problem if you want to call it that is that with an older BIOS, or with a UEFI configured to run in what’s called “Legacy” mode to mimic the behavior of an older BIOS, anybody can walk up to your computer, turn it off, insert a USB stick, CD, or DVD, reboot it and then have complete control over your machine.
In other words, physical presence is all they need to be able to access pretty much anything on your machine through one means or another. What UEFI does is, it restricts what happens when you reboot your machine. You may notice that on newer machines that come with things like Windows 8 or Windows 10, the process to get into the BIOS, the process to get into the different settings that may be present in the UEFI is different. You don’t do it by holding down a key when you reboot the machine.
Instead, you actually have to reboot the machine into Windows, and then using the Windows settings app, go through and have it then reboot into whatever your manufacturer provides. What that means, and the reason that’s done is that insures that only people who actually have administrative access to the machine can in fact, reboot into the UEFI configuration.
Somebody can’t just walk up to your machine and do things like change the boot order. By restricting UEFI access to going through this path where you have to go through Windows or the installed operating system in order to be able to see those settings, you’ve basically increased the security of the machine.
One of the other settings that comes into play is this thing called Secure Boot. What that does is, it prevents you from booting into something that isn’t authorized, if you will. Something that isn’t an official signed, allowed copy of an operating system.
Now many people think that this is a Windows thing that Microsoft is all about this, but that’s not the case. This is actually something that’s implemented by the hardware manufacturers that is something that is implemented in the BIOS that is in the all of these machines in UEFI BIOS that’s in all these machines. But in reality, it has nothing to do with Windows specifically. Windows just happens to be one of the operating systems that conforms to this specification.
It does mean that when it comes time to reboot your machine, if secure boot is turned on, it won’t boot from just anything. It will actually only boot from things that it is allowed to boot from, which means you can’t just download a random operating system from the internet and expect your machine to boot into it if secure boot is turned on.
So, unfortunately, what most people then ask is, “Great, how do I turn secure boot off? How do I return my machine to a configuration that allows me to do the things I need to do to that machine?” The answer is, as so many times comes, it depends. You may not be able to. That’s a situation I’m in as far as I can tell with my original Microsoft Surface Pro.1
For the life of me, I cannot get it to boot from anything other than its internal hard disk. The UEFI BIOS is configured for this secure boot mode. It is configured in such a way that I do not have access to the actual UEFI settings and that’s a choice that the computer manufacturer (Microsoft in this case) happened to make.
That’s the way that machine works. If that machine’s hard disk fails, to be honest, I’m not sure what I’ll do. In other cases, it depends, again, on exactly the permissions that your computer manufacturer has given you. You would start with the settings app, but where you go will depend on exactly what your computer manufacturer has allowed for and pre-configured.
Even then, when you reboot into the UEFI settings, like the BIOS before it, UEFI varies from machine to machine, from manufacturer to manufacturer. It’s incredibly capable. They’re many things you can do with it, but exactly which UEFI implementation is being used by your computer manufacturer will vary.
What that really boils down to, the bottom line here is that I can’t tell you for your machine exactly what steps you need to take to undo or to go back to a legacy type scenario or to a not secure boot scenario. You need to check with the documentation that came with your computer or you need to check with the computer manufacturer to find out what capabilities are available to you, and then exactly what steps you need to take to make the configuration changes that will allow you to do what you want.
So, UEFI, it really is all about protecting you from random, what I’ll call “drive-by reboots” where someone can just walk up to your machine and take control by rebooting it randomly into whatever they happen to have in their pocket.
Is that a good thing? In some environments it is. In home environments – maybe not so much. It’s hard to say. What do you do? How do you react to all of this security that’s being implemented by UEFI? Is it an issue for you? If it is an issue for you, how have you been working around it? Have you been working around it? Let me know.
As always, here’s a link to this article posted on Ask Leo! That’s where all the comments are read; that’s where all the comments are moderated. I’d love to hear your experience with UEFI. Again, until next time, I’m Leo Notenboom for askleo.com. Remember, stay safe, have fun, and don’t forget to back up. I’ll see you again next week. Take care.
Hey, if you found this video valuable, I could use your support. Visit
patreon.com/askleo (ed: askleo.com/patron) and pledge a couple of bucks a month or more depending on what kind of a reward you like. Yep, there’s rewards associated with it and what it will allow me to do is to focus on creating more valuable content like the video you just saw. Regardless of whether you do or not, thanks again for watching. I’m Leo Notenboom for askleo.com.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Footnotes & References
1: Since this was originally written that machine has been taken out of service and recycled, but I never did get it to boot from anything other than its own internal hard disk. Fortunately I never had a failure that would have required I be able to do anything else. (The machine’s battery was its final downfall.)