Jump to content

Secure Boot (Windows 8)

  • PrintPrint
This document pertains to HP and Compaq PCs with Windows 8 and Secure Boot.
Secure Boot Configuration is a new feature of the Unified Extensible Firmware Interface (UEFI) in BIOS 8 that helps a computer resist attacks and infection from malware. When your computer was manufactured, UEFI created a list of keys that identify trusted hardware, firmware, and operating system loader code. It also created a list of keys to identify known malware.
When Secure Boot is enabled, the computer blocks potential threats before they can attack or infect the computer. For example, Secure Boot can prevent your computer from starting from illegally copied CDs or DVDs that could harm the computer. Secure Boot does not lock out valid recovery discs or Windows discs.
You may have to disable Secure Boot in order to use hardware (such as older video cards) that Secure Boot does not recognize, or to boot from a CD or DVD that is not recognized. If Secure Boot does not recognize hardware, Windows does not use the hardware when it boots up, and you may experience problems starting the computer. If Secure Boot does not recognize a video card, the computer may have a blank display. For more information, refer to the Troubleshooting section.
NOTE:If your computer was updated to Windows 8.1 and you now have a persistent message over the desktop that states SecureBoot isn't configured correctly, Microsoft has released a download solution to remove this message. For more information, refer to Update removes the "Windows SecureBoot isn't configured correctly" watermark in Windows 8.1 (in English).
Figure 1: SecureBoot Watermark in Windows 8.1
SecureBoot Watermark in Windows 8.1

System requirements for using Secure Boot in Windows 8

All HP and Compaq computers that were manufactured with Windows 8 can use Secure Boot. Secure Boot is enabled by default on these computers. If you upgrade a computer manufactured with Windows 7 or earlier to Windows 8, you can use Secure Boot only if and AMI BIOS version 8 that is compatible with UEFI (Unified Extensible Firmware Interface) is available for the computer.
NOTE:HP and Compaq Notebook PCs that were manufactured with Windows 7 or earlier may have an available BIOS update that allows the use of Secure Boot. For more information, refer to Updating the BIOS .
NOTE:HP and Compaq Desktop PCs that were manufactured with Windows 7 or earlier do not have a BIOS version that allows the use of Secure Boot and one will not be made available for these computers.

Using Secure Boot on a notebook computer with Windows 8

Most HP notebook computers use the Insyde BIOS. Use the instructions in this section to enable or disable Secure Boot on your notebook computer.

Enabling Secure Boot on a notebook computer in Windows 8

Secure Boot is enabled by default on computers that were manufactured with Windows 8. If Secure Boot has been disabled or if you are enabling a Notebook PC that was upgraded to Windows 8, follow these steps to enable it:
  1. Turn off the computer.
  2. Immediately press the Esc key repeatedly, about once every second, until the Startup Menu opens.
    Figure 2: Startup Menu
    Startup Menu
  3. Use the right arrow key to choose the System Configuration menu, use the down arrow key to select Boot Options , then press Enter .
    Figure 3: Boot Options selection in the System Configuration window
    Boot Options selection in the System Configuration window
  4. Use the down arrow key to select Secure Boot , press the Enter key, then use the down arrow key to modify the setting to Enabled .
    Figure 4: Secure Boot: Enabled
    Secure Boot: Enabled
  5. Press Enter to save the change.
  6. Use the left arrow key to select the File menu, use the down arrow key to select Save Changes and Exit , then press Enter to select Yes .
  7. The Computer Setup Utility closes and the computer restarts.

Disabling Secure Boot on notebook computers with Windows 8

You may want to disable Secure Boot in order to install new hardware or boot from a CD or DVD. Follow these steps to disable Secure Boot:
  1. Turn off the computer.
  2. Immediately press the Esc key repeatedly, about once every second, until the Startup Menu opens.
    Figure 5: Startup Menu
    Startup Menu
  3. Use the right arrow key to choose the System Configuration menu, use the down arrow key to select Boot Options , then press Enter .
    Figure 6: Boot Options selection in the System Configuration window
    Boot Options selection in the System Configuration window
  4. Use the down arrow key to select Secure Boot , press the Enter key, then use the down arrow key to modify the setting to Disabled .
    Figure 7: Secure Boot: Disabled
    Secure Boot: Disabled
  5. Press Enter to save the change.
  6. Use the left arrow key to select the File menu, use the down arrow key to select Save Changes and Exit , then press Enter to select Yes .
  7. The Computer Setup Utility closes and the computer restarts. When the computer has restarted, the Operating System Boot Mode Change screen appears, prompting you to confirm the Boot Options change. Type the code shown on the screen, then press Enter to confirm the change and continue to Windows.

Using Secure Boot on a desktop computer with Windows 8

The BIOS on a desktop computer is different from the BIOS on a notebook computer. Use the instructions in this section to enable or disable Secure Boot on your desktop computer.

Enabling Secure Boot on a desktop computer with Windows 8

Secure Boot is enabled by default on computers that were manufactured with Windows 8. If Secure Boot has been disabled, follow these steps to enable it:
  1. Turn off the computer.
  2. Turn on the computer and immediately press the F10 key repeatedly, about once every second, until the Computer Setup Utility opens.
  3. Use the left and right arrow keys to select the Security menu.
    Figure 8: Secure Boot Configuration selection in the Security window
    Secure Boot Configuration selection in the Security window
  4. Use the up and down arrow keys to select Secure Boot Configuration , and then press Enter .
  5. The Secure Boot Configuration warning displays. Press F10 to continue.
    Figure 9: Secure Boot Configuration window
    Secure Boot Configuration window
  6. Use the left and right arrow keys to disable Legacy Support if it is enabled.
    Figure 10: Secure Boot Configuration window
    Secure Boot Configuration window
  7. Use the up and down arrow keys to select Secure Boot , then use the left and right arrow keys to enable it.
  8. Press F10 to accept the changes.
  9. Press F10 again, then press Enter twice to restart the computer with Secure Boot enabled.
    Figure 11: Save Changes and Exit selection
    Save Changes and Exit selection

Disabling Secure Boot on a desktop computer with Windows 8

You may want to disable Secure Boot in order to install new hardware or boot from a CD or DVD. Follow these steps to disable Secure Boot:
  1. Turn off the computer.
  2. Turn on the computer and immediately press the F10 key repeatedly, about once every second, until the Computer Setup Utility opens.
  3. Use the left and right arrow keys to select the Security menu, then use the up and down arrow keys to select Secure Boot Configuration , and then press Enter .
    Figure 12: Secure Boot Configuration selection in the Security window
    Secure Boot Configuration selection in the Security window
  4. The Secure Boot Configuration warning displays. Press F10 to continue.
    Figure 13: Secure Boot Configuration window
    Secure Boot Configuration window
  5. Use the up and down arrow keys to select Secure Boot , then use the left and right arrow keys to change the setting to Disable .
    Figure 14: Secure Boot Configuration window
    Secure Boot Configuration window
  6. Use the up and down arrow keys to select Legacy Support , then use the left and right arrow keys to change the setting to Enable .
  7. Press F10 to accept the changes.
  8. Press F10 again, then press Enter twice to restart the computer.
    Figure 15: Save Changes and Exit selection
    Save Changes and Exit selection
  9. As soon as the computer starts, a message appears indicating that the boot mode has changed.
    Figure 16: Boot mode change message
    Boot mode change message
  10. Type the four-digit code shown in the message, then press Enter to confirm the change.
    NOTE:No text field displays for the code. This is expected behavior. When you type the numbers, the code is logged without a text field.
    The computer starts Windows 8.

Frequently Asked Questions about Secure Boot in Windows 8

Click each question to find the answer to a frequently asked question about Secure Boot.
Secure Boot Configuration is a new feature of the Unified Extensible Firmware Interface (UEFI) in BIOS 8 that helps a computer resist attacks and infection from malware. When your computer was manufactured, UEFI created a list of keys that identify trusted hardware, firmware, and operating system loader code. It also created a list of keys to identify known malware. When Secure Boot is enabled, the computer blocks potential threats before they can attack or infect the computer. Any malware or other firmware code that is not recognized is blocked. For example, Secure Boot can prevent your computer from starting from illegally copied CDs or DVDs that could harm the computer. Secure Boot does not lock out valid recovery discs or Windows discs.
When Secure Boot is disabled, the computer is at greater risk from "Root Kit" infections that inject themselves before the Windows boot process. Anti-virus or Security software typically does not protect against these types of threats.
Secure Boot may be available for your computer if you install Windows 8.
If you have an HP or Compaq Desktop computer that was manufactured with Windows 7 or earlier, the correct BIOS version to use Secure Boot is not available. You will not be able to use Secure Boot.
If you have an HP or Compaq Notebook computer that was manufactured with Windows 7 or earlier, a BIOS update that allows the use of Secure Boot may be available. For more information, see Updating the BIOS . After you have updated to a BIOS version that supports Secure Boot, go to Enabling Secure Boot .

Troubleshooting problems with Secure Boot in Windows 8

The following sections provide information for resolving issues with Secure Boot. Click each issue to see its solution.
After updating to Windows 8.1 a message, called a watermark, persistently appears in a corner of the screen:
Windows 8.1 Pro
Secure Boot Isn't Configured Correctly
Build 9600
Figure 17: SecureBoot Watermark in Windows 8.1
SecureBoot Watermark in Windows 8.1
This message is shown because Windows detects Secure Boot functionality on the system, but also detects it is not enabled. Windows 8 uses Secure Boot to authenticate a valid loading of the Windows for security purposes.
NOTE: The message does not cause system issues nor does it indicate your computer is functioning improperly. You can continue using your computer normally.
Microsoft has released a download solution to remove this message. For more information, read Microsoft's support article Update removes the "Windows SecureBoot isn't configured correctly" watermark in Windows 8.1 (in English).
For many PCs, resetting the BIOS back to defaults can also remove this message. Use the following steps to reset the BIOS to default settings:
  1. At the Start screen, press the Windows key + I key.
  2. While holding down the SHIFT key on your keyboard, click Power , and select Shut down .
  3. Wait 5 seconds for the computer to fully shut down.
  4. Press the power button on your computer to turn it on.
  5. Immediately press the F10 key repeatedly, about once every second, until the computer enters into a BIOS Setup utility.
  6. Once the computer opens into the Setup Utility, press the F11 key to restore defaults.
  7. Confirm your selection by responding to the window that opens.
  8. Press F10 and confirm to save settings and exit.
  9. Wait for Windows 8 to load and look to see if the message continues to appear over the screen:
    If the message no longer is shown, you are done.
    If the message persists, continue using these steps to enable Secure Boot.
  10. Restart the computer and immediately press the F10 key repeatedly, about once every second, until the computer enters into a BIOS Setup utility.
  11. Use the arrow and Enter keys to find and enable the Secure Boot setting. The Secure Boot setting can be found in Boot Options from the System Configuration menu (notebook PCs) or from the Security menu (desktop PCs).
    NOTE: If a Secure Boot setting cannot be found or cannot be changed, find the Legacy Mode setting and make sure it is disabled. In the event a BIOS does not show the Secure Boot setting, and it cannot be changed by resetting BIOS to defaults, the BIOS is incompatible and should be updated if an update is available from HP's web site.
  12. Press F10 and confirm to save settings and exit.
If Secure Boot does not recognize a video card that you install, you may experience problems starting the computer, or there might be no video output at all. First remove the new video card and restore the computer to its original configuration so that the computer display works. Then disable Secure Boot and enable Legacy Boot. Once Legacy Boot is enabled, you can install the new video card.
Step 1: Restore the computer to its original configuration
If your computer came with on-board video only and you installed a new video card, remove the video card.
If your computer came with a video card installed and you replaced the original card with a new card, remove the new card. Then replace the original card in the computer.
Step 2: Disable Secure Boot and enable Legacy Boot
Follow these steps to disable Secure Boot and enable Legacy Boot:
  1. Turn off the computer.
  2. Turn on the computer and immediately press the F10 key repeatedly, about once every second, until the Computer Setup Utility opens.
  3. Use the left and right arrow keys to select the Security menu, then use the up and down arrow keys to select Secure Boot Configuration , and then press Enter .
    Figure 18: Secure Boot Configuration selection in the Security window
    Secure Boot Configuration selection in the Security window
  4. The Secure Boot Configuration warning displays. Press F10 to continue.
    Figure 19: Secure Boot Configuration window
    Secure Boot Configuration window
  5. Use the up and down arrow keys to select Secure Boot , then use the left and right arrow keys to change the setting to Disable .
    Figure 20: Secure Boot Configuration window
    Secure Boot Configuration window
  6. Use the up and down arrow keys to select Legacy Support , then use the left and right arrow keys to change the setting to Enable .
  7. Press F10 to accept the changes.
  8. Press F10 again, then press Enter twice to restart the computer.
    Figure 21: Save Changes and Exit selection
    Save Changes and Exit selection
  9. As soon as the computer starts, a message appears indicating that the boot mode has changed.
    Figure 22: Boot mode change message
    Boot mode change message
  10. Type the four-digit code shown in the message, then press Enter to confirm the change.
    NOTE:No text field displays for the code. This is expected behavior. When you type the numbers, the code is logged without a text field.
    The computer starts Windows 8.
Step 3: Install the new video card
Turn off the computer and install the desired video card in the computer. Make sure the card is compatible with the computer.
If Secure Boot does not recognize hardware that you install, you may experience problems starting the computer or see a blue screen or BIOS error message. You can remove the new hardware and replace it with the old hardware to boot into Windows normally, or you can disable Secure Boot and enable Legacy Boot. Follow these steps to disable Secure Boot and enable Legacy Boot:
  1. Turn off the computer.
  2. Turn on the computer and immediately press the F10 key repeatedly, about once every second, until the Computer Setup Utility opens.
    NOTE:If you cannot enter the Computer Setup Utility by pressing F10, remove the new hardware and restore the computer to its original configuration. Then repeat this step to enter the Computer Setup Utility.
  3. Use the left and right arrow keys to select the Security menu, then use the up and down arrow keys to select Secure Boot Configuration , and then press Enter .
    Figure 23: Secure Boot Configuration selection in the Security window
    Secure Boot Configuration selection in the Security window
  4. The Secure Boot Configuration warning displays. Press F10 to continue.
    Figure 24: Secure Boot Configuration window
    Secure Boot Configuration window
  5. Use the up and down arrow keys to select Secure Boot , then use the left and right arrow keys to change the setting to Disable .
    Figure 25: Secure Boot Configuration window
    Secure Boot Configuration window
  6. Use the up and down arrow keys to select Legacy Support , then use the left and right arrow keys to change the setting to Enable .
  7. Press F10 to accept the changes.
  8. Press F10 again, then press Enter twice to restart the computer.
    Figure 26: Save Changes and Exit selection
    Save Changes and Exit selection
  9. As soon as the computer starts, a message appears indicating that the boot mode has changed.
    Figure 27: Boot mode change message
    Boot mode change message
  10. Type the four-digit code shown in the message, then press Enter to confirm the change.
    NOTE:No text field displays for the code. This is expected behavior. When you type the numbers, the code is logged without a text field.
    The computer starts Windows 8.
  11. If you removed the new hardware, turn off the computer and install the hardware in the computer. Make sure the hardware is compatible with the computer.
    For more information, see the Microsoft support page: Windows 8 with Secure Boot enabled may no longer boot after installing new hardware (in English).
HP computers that come with Windows 8 installed have Secure Boot enabled by default. Having Secure Boot enabled prevents legacy boot devices from starting your computer, including bootable CDs and DVDs.
To start your computer from a valid bootable disc, such as an HP recovery disc, disable Secure Boot and enable Legacy Support in the BIOS, and then use the Boot Menu to select the CD/DVD drive as the boot device.
Step 1: Disable Secure Boot and enable Legacy Boot
Follow these steps to disable Secure Boot and enable Legacy Boot:
  1. Turn off the computer.
  2. Turn on the computer and immediately press the F10 key repeatedly, about once every second, until the Computer Setup Utility opens.
  3. Use the left and right arrow keys to select the Security menu, then use the up and down arrow keys to select Secure Boot Configuration , and then press Enter .
    Figure 28: Secure Boot Configuration selection in the Security window
    Secure Boot Configuration selection in the Security window
  4. The Secure Boot Configuration warning displays. Press F10 to continue.
    Figure 29: Secure Boot Configuration window
    Secure Boot Configuration window
  5. Use the up and down arrow keys to select Secure Boot , then use the left and right arrow keys to change the setting to Disable .
    Figure 30: Secure Boot Configuration window
    Secure Boot Configuration window
  6. Use the up and down arrow keys to select Legacy Support , then use the left and right arrow keys to change the setting to Enable .
  7. Press F10 to accept the changes.
  8. Press F10 again, then press Enter twice to restart the computer.
    Figure 31: Save Changes and Exit selection
    Save Changes and Exit selection
  9. When the computer has restarted, use the power button to turn the computer off.
Step 2: Select the CD/DVD drive as the boot device
Follow these steps to select the CD/DVD drive as the boot device in the Boot Menu.
  1. Press the power button to turn the computer on. As soon as the computer starts, a message appears indicating that the boot mode has changed.
    Figure 32: Boot mode change message
    Boot mode change message
  2. Type the four-digit code shown in the message, then press Enter to confirm the change.
    NOTE:No text field displays for the code. This is expected behavior. When you type the numbers, the code is logged without a text field.
    The computer starts Windows 8.
  3. Press the power button to turn off the computer, wait a few seconds, then turn on the computer and immediately press the Esc key repeatedly, about once every second, until the Startup menu opens.
  4. Press F9 to open the Boot Menu.
    Figure 33: Boot Menu
    Boot Menu
  5. Use the down arrow key to select the SATA device under the ATAPI CD/DVD drive heading, then press Enter to select the CD/DVD drive as the boot device.
    The computer starts Windows 8.
  6. Insert the bootable CD or DVD into the CD/DVD drive.
  7. Press the power button to turn the computer off and wait about 5 seconds.
  8. Press the power button again to turn the computer on.
    The computer starts from the CD or DVD.