Sign in with
Sign up | Sign in

How to flip over to UEFI with Secure Boot with no data loss. Requires Windows 8 or later.

If you found that you couldn’t deploy your PC with UEFI support but still want to use the latest and greatest EFI features, follow this guide to convert your system to boot via UEFI and employ Secure Boot. No data will be lost.

BTW, the acronyms of UEFI and EFI are pretty much interchangeable if you have a latest-standards-compliant mainboard.

Want a primer on UEFI? Look here:

For a slick overview of Secure Boot, check out this link:

Why is using UEFI a problem for some system builders?
A massive amount of PC's on the market don't support native UEFI boot into a traditional USB thumb key or CD/DVD to even install your OS. So you have to install your OS the old way under a legacy BIOS startup routine. This is a particular issue with business oriented machines.

So let's walk you through converting that installation to UEFI with Secure Boot. A few helpful videos are near the bottom of this article.

1. a system that supports UEFI with Secure Boot (also called UEFI Class 3)
2. an OS that supports UEFI with Secure Boot (Windows 8 and later)
3. administrative access to your system's BIOS
4. 64-bit installation of Windows 8, Server 2012, or later version

If you’re running on a 32-bit only platform like many Intel Atom rigs, then you will need the 32-bit installation media… and some therapy. Also, Secure Boot doesn’t work for a 32-bit OS installation on a 64-bit capable system

No OS installed yet? Here’s what you’ll need to do:
I’m not going to give you detailed instructions on how to accomplish the tasks in this section, so you’ll need to look elsewhere for help. It’s not too difficult with a tinkerer’s patience and mindset.

1. Set your BIOS to boot with UEFI/Legacy hybrid mode to ensure you can access your DVD or USB Key at startup and also to address large hard drives if you have one
2. When installing your OS, I recommend that you set your hard drive partition table to GPT instead of the older MBR. This is not a requirement but it has benefits. It can be data destructive in some scenarios, though.
3. Finish the OS installation and load your hardware drivers

Converting Windows startup routine to UEFI Secure Boot
Let’s make with the actual How-To already!

Now that you have your computer up and running, let’s make sure you can get the thing to boot through UEFI and employ Windows Secure Boot.

1. Get the latest BIOS firmware from your motherboard manufacturer and install it.

2. Check your manufacturer’s documentation on what is required to boot through UEFI and make it happen. It’s probably some kind of hard drive partition that needs to be made.

2.a. If you’re like me and are using an HP system (or several), there’s great documentation here.

2.a.i. If that was too confusing then let me distill it down for you. They just said that you need a partition of 2GB called HP_TOOLS on your primary drive, formatted in FAT32. Although I learned through experimentation that 1GB works without any problems.

2.a.i-1. This is accomplished in Computer Management’s Disk Management feature by shrinking your OS partition by 2GB and creating a new partition and volume called HP_TOOLS and formatted as FAT32. Let Windows assign a drive letter!

3. Update any UEFI specific tools your manufacturer has created. This usually puts some necessary pieces into the EFI partition.

3.a. HP has made all that available, so I grabbed my packages from here.

4. Set the boot environment to support UEFI and point the boot loader to your Windows installation

4.a. Jump out to the command prompt with administrative privileges

4.a.i. If you fail to do it under admin rights you’ll get some weird error about not being able to access to BCD store when running the command below

4.b. At the command prompt you’ll need to run the following command:

bcdboot c:\windows /s e: /f ALL

In the forgoing command, change the “c:\windows” to your windows directory… which is probably “c:\windows” but might not be. Also change the drive letter of “e:” to whatever your system’s EFI volume drive letter is.

5. Perform any manufacturer-recommended cleanup processes

5.a. For me and my HP system that only means that I remove the drive letter assignment from the HP_TOOLS volume

5.a.i. Jump back into Computer Management’s Disk Management tool and remove the EFI volume’s drive letter if you have one.

6. Switch your BIOS to UEFI native mode (no CSM) and enable Secure Boot

7. Boot and enjoy!

Part 1 of 2 - Configuring Windows for UEFI Secure Boot on an HP laptop

Part 2 of 2 - Configuring Windows for UEFI Secure Boot on an HP laptop

Notice how after UEFI native mode is enabled that the Windows logo doesn't show up at startup anymore. Maybe yours does but most manufacturers have it setup to keep the Manufacturers logo displayed while Windows boots.

Notice that with Secure Boot enabled the advanced startup and troubleshoot options are very limited.

Secure Boot Precaution
Some hardware isn’t compatible with Secure Boot and will result in a failed system startup with your PC acting like some hardware just died. It’s brutal. I’ve had the problem with a video card (nVidia Quadro 600). If your system doesn’t startup, you will need to remove the hardware and restart to even get into the BIOS to deselect Secure Boot. You won’t have to disable UEFI boot mode, just Secure Boot. On the bright side, in a few years everything will be Secure Boot compliant so we’re not too far off from trusted boot as the norm.

Secure Boot failure with nVidia Quadro 600 video card on an HP Z220 workstation
Can't find your answer ? Ask !