This is important because UEFI Secure Boot is based on the usage of Public Key Infrastructure to authenticate code before allowed to execute. It is intended as guidance beyond certification requirements, to assist in building efficient and secure processes for creating and managing Secure Boot Keys.
This paper does not introduce new requirements or represent an official Windows program. Windows requirements for UEFI and Secure Boot can be found in the Windows Hardware Certification Requirements. Enterprises and customers can also use these steps to configure their servers to support Secure Boot.
This prevents the device from starting in UEFI mode.These steps are not specific to PC OEMs. Remove the efi folder from the root of the Windows PE or Windows Setup media. This prevents the device from starting in BIOS mode. Remove the bootmgr file from the root of the Windows PE or Windows Setup media. Remove the following files, depending on the mode you want to boot to. If you want a PC to only boot into a certain mode, you can remove the files that Windows PE or Windows Setup use to boot in UEFI or BIOS mode. To fix this, restart the PC in the correct firmware mode.
When the installation starts, if the PC is booted to the wrong mode, Windows installation will fail. If you want to ensure that your drive boots into a certain mode, use drives that you've preformatted with the GPT file format for UEFI mode, or the MBR file format for BIOS mode. Use preformatted hard drives, and use a method that doesn't automatically format the drive. Here are a couple of ways you can make sure you're booted into the right firmware mode every time you start your PC. Make sure you boot into the right mode every time Note that between delims= and " %%A is a tab, followed by a space. If %Firmware%=0x2 echo The PC is booted in UEFI mode.
If %Firmware%=0x1 echo The PC is booted in BIOS mode. :: Note: delims is a TAB followed by a space. Use it in a script: wpeutil UpdateBootInfoįor /f "tokens=2* delims= " %%A in ('reg query HKLM\System\CurrentControlSet\Control /v PEFirmwareType') DO SET Firmware=%%B You can do this from the command line: reg query HKLM\System\CurrentControlSet\Control /v PEFirmwareType Query the registry to determine which mode the device is in. UEFI and BIOS modes in WinPE Detect if WinPE is booted into BIOS or UEFI Mode From the firmware menus, look for the option: "Boot from file", then browse to \EFI\BOOT\BOOTX64.EFI on Windows PE or Windows Setup media. Some older PCs (Windows 7-era or earlier) support UEFI, but require you to browse to the boot file.
To disable the security features, go to Security > Secure Boot and disable the feature. Other devices will only allow you to boot to BIOS mode by manually disabling the UEFI security features. Some devices only support one mode (either UEFI or BIOS). Each command uses the same device and media, but boots the PC in a different firmware mode. For example, you might see UEFI USB Drive and BIOS USB Drive. You might see separate commands for the same device. For example, select UEFI: USB Drive or BIOS: Network/LAN. On the boot device menu, select the command that identifies both the firmware mode and the device. Select Troubleshoot > Advanced options > UEFI Firmware settings.įrom the firmware menus, boot to a drive or network while in UEFI or BIOS mode: Or, if Windows is already installed, from either the Sign on screen or the Start menu, select Power ( ) > hold Shift while selecting Restart. If there’s not one, or if the screen goes by too fast to see it, check your manufacturer’s site. During startup, there’s often a screen that mentions the key. On tablets, common buttons are Volume up or Volume down ( find more common keys and buttons). Common keys used: Esc, Delete, F1, F2, F10, F11, or F12. You can use any of these methods:īoot the PC, and press the manufacturer’s key to open the menus. If you're booting from a network that only supports BIOS, you'll need to boot to legacy BIOS mode.Īfter Windows is installed, the device boots automatically using the same mode it was installed with.
In general, install Windows using the newer UEFI mode, as it includes more security features than the legacy BIOS mode. After Windows is installed, if you need to switch firmware modes, you may be able to use the MBR2GPT tool. Choose UEFI or legacy BIOS modes when booting into Windows PE (WinPE) or Windows Setup.