2021-03-31T16:47:24Z
  • Secure Boot is a feature of your PC's UEFI that only allows approved operating systems to boot up.
  • It's a security tool that prevents malware from taking over your PC at boot time.
  • While it's not recommended to disable Secure Boot, you can customize the certificates it uses to authenticate which operating systems are approved on your PC. 

Secure Boot is a feature found in the startup software for your computer that's designed to ensure your computer starts safely and securely by preventing unauthorized software like malware from taking control of your PC at boot-up.

If you're using Windows 10 and a modern PC with UEFI (Unified Extensible Firmware Interface, the low-level software that enables your computer to boot), then you're automatically afforded protection from illicit software attempting to take control of your computer when it starts up. 

How Secure Boot works

Before Secure Boot, the computer's BIOS (Basic Input/Output System) would hand off control of the PC to any bootloader that was located in the right location on the hard drive. There was no way for the BIOS to validate or authenticate the software, so anything could boot the PC — Windows, other operating systems like Linux, and even malware. 

That's no longer the case. Secure Boot is a feature in UEFI, which has replaced the BIOS on the vast majority of PCs in use today. While the BIOS was commonly used in computers from the first PC until the 2000s, today virtually all PCs use UEFI. You may have seen the UEFI interface if you had to access the startup menu by pressing a keyboard shortcut (usually F1 or F2) when the computer is first turned on. 

Secure Boot establishes what programmers refer to as a "trust relationship" between the UEFI and the operating system that it launches at boot time. To do this, the launch software is signed with pairs of public/private security keys. The operating system's private key is "whitelisted" by UEFI. If UEFI has approved the key, the software (like Windows 10) can launch. 

Secure Boot helps your PC launch safely with the proper operating system, safe from malware attacks. Luis Alvarez/Getty Images

Windows 10 ships with a certificate that's stored in UEFI; this serves as the key that allows it to boot. Likewise, other reputable operating systems (like Linux) can also acquire a key and register with UEFI, allowing them to boot securely as well. 

Conversely, if malware tries to install a bootloader on your PC to take over at startup, it will not have a signed key, and UEFI will not allow it to launch. 

How to manage Secure Boot

While Secure Boot works silently in the background and you probably never have reason to change it, you have the option to tweak Secure Boot if you need to:

  • You can disable Secure Boot entirely. This is not recommended — if you turn off Secure Boot, any software can boot on your PC. You can run older versions of Windows that don't support Secure Boot's public/private key authentication, or experimental operating systems that would not ordinarily work. But this also opens you up to malware bootloaders, so do this with care. 
  • If you are an IT professional, Secure Boot allows you to add and remove certificates, essentially determining which operating systems your PC is allowed to run. If you ran an organization that used Linux, for example, you could revoke Windows 10's ability to run on your group's hardware, only allowing your distribution of Linux. 
spanDave Johnson is a technology journalist who writes about consumer tech and how the industry is transforming the speculative world of science fiction into modern-day real life. Dave grew up in New Jersey before entering the Air Force to operate satellites, teach space operations, and do space launch planning. He then spent eight years as a content lead on the Windows team at Microsoft. As a photographer, Dave has photographed wolves in their natural environment; he's also a scuba instructor and co-host of several podcasts. Dave is the author of more than two dozen books and has contributed to many sites and publications including CNET, Forbes, PC World, How To Geek, and Insider./span Freelance Writer Dave Johnson is a technology journalist who writes about consumer tech and how the industry is transforming the speculative world of science fiction into modern-day real life. Dave grew up in New Jersey before entering the Air Force to operate satellites, teach space operations, and do space launch planning. He then spent eight years as a content lead on the Windows team at Microsoft. As a photographer, Dave has photographed wolves in their natural environment; he's also a scuba instructor and co-host of several podcasts. Dave is the author of more than two dozen books and has contributed to many sites and publications including CNET, Forbes, PC World, How To Geek, and Insider. Read more Read less

ncG1vNJzZmivp6x7o8HSoqWeq6Oeu7S1w56pZ5ufonyowcidnKxnpJqwqXvWoZitZZmoerSxwq6pnmWSpLy1