Credit: Designer in Copilot
November 28, 2023
What is Secure Boot?
Key Takeaways
- Secure Boot is a fundamental security feature that ensures a PC starts up securely by preventing malware from compromising the system during the startup process.
- Windows 11 devices, including the latest Surface devices, have Secure Boot enabled by default as part of Microsoft’s commitment to security.
- To verify Secure Boot’s activation on Windows 11, users can press Windows logo key + R, type "msinfo32”, navigate to System Summary, and confirm Secure Boot State reads "On”.
One of the most important processes a PC performs is, simply, turning on. During startup, each of the essentially components are activated and begin to communicate with each other. To ensure this is done securely every time, computer makers have developed Secure Boot. It’s a standard operation that helps protect your device from errors and corruption while it powers up.
Stay secure from the jump
A PC’s startup process is critical to maintaining its security. One of the sneakier ways for bad actors to take advantage of you is by secretly installing malware that can bypass operating system (OS) security and lie in wait until startup; by the time everything starts up, it’s already too late. Any number of bad outcomes are possible if this happens, including the transfer of private files, capture of cryptographic data, or recording passwords and keystrokes.
Rootkits, for one, are a sophisticated type of this malware. They run in kernal mode—a privileged mode of operation in which processes can execute with unrestricted access to things like hardware and memory. They are particularly dangerous because they have the same rights as the OS and start before it, completely hiding themselves and other applications.
What happens when a PC starts up?
To better understand the complexity, importance, and potential risks during startup, let’s look at the boot process a computer goes through. There are five steps that commonly happen at startup:
- OS power on. When you turn your computer on, power is supplied throughout its components such as the motherboard, central processing unit (CPU), hard disks, solid-state drives, graphics processors, and all other foundational hardware.
- POST. The CPU initializes itself and looks for a small program that is typically stored in a chip on the motherboard to get things started. The PC loads what’s called a Basic Input/Output System (BIOS-older PCs) or Unified Extensible Firmware Interface (UEFI-newer PCs). Notably, some manufacturers still call their UEFI software “BIOS.” (Firmware is a type of software that is embedded directly in a piece of hardware by the manufacturer to make the hardware work as intended.)
- Load BIOS. The BIOS or UEFI firmware loads your custom configuration settings from a designated place on the motherboard. It also tests and initializes your system’s hardware, including the CPU itself.
- OS load. After initializing hardware and checking for errors, the computer hands off control to a boot device such as a hard drive or solid-state drive. The boot device then loads the operating system into memory.
- Transfer of control to OS. Once the operating system is loaded into memory, control is transferred to the OS, and it takes over from there.
What does Secure Boot do?
A critical—and industry-standard—security measure also happens as part of the web of startup processes. Around steps three and four above, Secure Boot blocks malware attacks by using signature-enforcement handshakes. This security feature was developed to help ensure that devices start up executing only software that’s trusted by the manufacturer—unlike rootkits. Secure Boot verifies the digital signature of any executable files before allowing them to run, including the OS.
How to enable Secure Boot on Windows 11
On any newer Surface or Windows 11-equipped device, you don’t have to do anything to enable Secure Boot. In fact, as part of Microsoft’s commitment to security, Windows 11 only operates on PCs that are capable of Secure Boot. On older devices, it’s worth checking to be sure Secure Boot is enabled. While the requirement to upgrade a Windows 10 device to Windows 11 includes that the PC must be Secure Boot capable by having UEFI/BIOS enabled, you may need to turn on Secure Boot manually.
How to check if Secure Boot is enabled on Windows 11
Checking if Secure Boot is active in Windows 11 and protecting your device at startup is easy. To check if Secure Boot is enabled on your PC, you can follow these steps:
- Select the Windows logo key + R to open the Run dialog box.
- Enter “msinfo32”.
- In the System Information window that appears, select System Summary from the left-hand pane.
- Find Secure Boot State in the right-hand pane. If it says “On,” then Secure Boot is enabled on your PC.
While you can disable Secure Boot, it is not recommended.
Microsoft is dedicated to protecting your Surface and Windows 11 devices from bad actors, today and in the years to come. Secure Boot—and the Windows 11 requirement for it—is yet another example of that commitment. Whether it’s for work, home, or play, compare and choose your next PC from the diverse lineup of super-secure Surface devices.