This article applies to Secure Boot with Microsoft Windows 8®. Although these instructions are based on an Ivy Bridge Software Development Platform from Intel Corporation, the process should be similar on 2012 OEM platforms.
This article defines the process for enabling Secure Boot on a 2012 Ivy Bridge system.
Overview of the process:
- UEFI OS Install
- Enable Secure Boot
- Installation of Keys
- Verifying Secure boot is enabled
UEFI OS install
- The "UEFI OS Install" may be performed before or after Secure Boot is enabled.
- If Windows 8®is already installed using the standard BIOS, it can't be converted to UEFI. A new OS installation will be required.
- DVD drive (USB)
- Windows 8® OS installation disk with EFI setup file
- Windows 8® activation key
- Attach the DVD drive to the system
- In BIOS setup confirm:
- Boot -> CSM is Disabled
- Insert the Windows 8® installation Disk
- Reboot the system
- During POST enter “BIOS Boot Selector Menu” by pressing F7
- Select “Built in EFI Shell”
- At the Shell prompt navigate to the location of the OS setup file on the DVD. Example:
- Enter “fs0:” or “Blk1:”
- Enter “cd EFI\Boot”
- Press enter
- Begin the OS installation.
- At the prompt type “BOOTX64.EFI”
- Press enter
- Press “any key to boot from the CD…”
- Follow the standard prompts to install the OS.
Enabling Secure Boot
- Secure Boot may be enabled or disabled anytime from BIOS Setup.
- After the OS install is completed remove the installation DVD
- Reboot the system and press F2 to enter BIOS setup
- Navigate to Security -> Secure Boot
- Set the Secure Boot Mode to “Custom”
- Select Custom Key Management.
- Select “Install Factory Defaults” to load the keys
- Confirm the action
- Hit escape to go back to the Security menu
- Set the Secure Boot Mode back to “Standard”
- Verify Boot-> CSM is “Disabled”
- Save and Exit
- Boot the system to OS and login
Verifying Secure Boot is enabled
Once the OS is installed and Secure Boot is enabled, the next step is to verify that secure boot is operational.
To verify Secure Boot do the following:
- Open PowerShell as administrator
- Run the command “confirm-SecureBootUEFI”
- If secure boot is working, “TRUE” will be displayed on the following line.
- Otherwise “FALSE” will be displayed
IDER (IDE Redirection) with Secure Boot
With Secure Boot enabled, you would not be able to boot from another operating system which would affect IDE Redirection. However, ME FW 8.1 provides the capability to temporarily disable Secure Boot while an IDER session is active. ME 8.1 changes Secure Boot to “Disabled” and CSM is “Enabled” while the IDER session is active. Once the IDER session is closed, secure boot is once again enabled.
http://www.uefi.org - UEFI specifications
http://www.uefi.org/learning_center/UEFI_Plugfest_2012Q1_MicrosoftSecureBoot.pdf - Microsoft* Tools and Tests for Secure Boot