This article applies to Secure Boot with Microsoft Windows 8®. Although these instructions are based on an Ivy Bridge Software Development Platform from Intel Corporation, the process should be similar on 2012 OEM platforms.
This article defines the process for enabling Secure Boot on a 2012 Ivy Bridge system.
Overview of the process:
UEFI OS Install
Enable Secure Boot
Installation of Keys
Verifying Secure boot is enabled
UEFI OS install
The "UEFI OS Install" may be performed before or after Secure Boot is enabled.
If Windows 8®is already installed using the standard BIOS, it can't be converted to UEFI. A new OS installation will be required.
DVD drive (USB)
Windows 8® OS installation disk with EFI setup file
Windows 8® activation key
Attach the DVD drive to the system
In BIOS setup confirm:
Boot -> CSM is Disabled
Insert the Windows 8® installation Disk
Reboot the system
During POST enter “BIOS Boot Selector Menu” by pressing F7
Select “Built in EFI Shell”
At the Shell prompt navigate to the location of the OS setup file on the DVD. Example:
Enter “fs0:” or “Blk1:”
Enter “cd EFI\Boot”
Begin the OS installation.
At the prompt type “BOOTX64.EFI”
Press “any key to boot from the CD…”
Follow the standard prompts to install the OS.
Enabling Secure Boot
Secure Boot may be enabled or disabled anytime from BIOS Setup.
After the OS install is completed remove the installation DVD
Reboot the system and press F2 to enter BIOS setup
Navigate to Security -> Secure Boot
Set the Secure Boot Mode to “Custom”
Select Custom Key Management.
Select “Install Factory Defaults” to load the keys
Confirm the action
Hit escape to go back to the Security menu
Set the Secure Boot Mode back to “Standard”
Verify Boot-> CSM is “Disabled”
Save and Exit
Boot the system to OS and login
Verifying Secure Boot is enabled
Once the OS is installed and Secure Boot is enabled, the next step is to verify that secure boot is operational.
To verify Secure Boot do the following:
Open PowerShell as administrator
Run the command “confirm-SecureBootUEFI”
If secure boot is working, “TRUE” will be displayed on the following line.
Otherwise “FALSE” will be displayed
IDER (IDE Redirection) with Secure Boot
With Secure Boot enabled, you would not be able to boot from another operating system which would affect IDE Redirection. However, ME FW 8.1 provides the capability to temporarily disable Secure Boot while an IDER session is active. ME 8.1 changes Secure Boot to “Disabled” and CSM is “Enabled” while the IDER session is active. Once the IDER session is closed, secure boot is once again enabled.