What Is Secure Boot And How To Disable It

How To Disable Secure BootHow To Disable Secure Boot

Key Points

  • Secure Boot is a computer security feature that prevents malicious pieces of code from executing on the device by verifying the software’s digital signature.
  • To disable Secure Boot, boot into the UEFI settings, look for Secure Boot or Security settings, and disable Secure Boot.

Secure Boot is a feature most modern computers have and is supported by both Windows and Linux operating systems. It was developed in collaboration between computer and OS manufacturers, and designed to keep the systems secure, especially during the boot-up process.

If you have had the privilege of installing Windows 11 on a computer, you would know that Secure Boot is one of the key requirements , alongside TPM 2.0. Without these, the computer will not meet the minimum requirements to install Windows 11.

However, there may be instances when you might need to disable Secure Boot, even if it is present for your own safety. For example, Secure Boot needs to be disabled when you want to enable the Windows “Test Mode.”

Before showing you how to disable Secure Boot, let me tell you what it is and how it works.

What is Secure Boot and what does it do?

Secure Boot is a security feature in computers that prevents malware and malicious code from running on your computer. This feature performs its scrutinization during the boot-up process before the operating system is loaded.

When a computer is starting, it needs to load the firmware before it can load the OS. During this time, a malicious code can be executed by an attacker, which can be loaded, and the system will fail to block it. Secure Boot prevents this from happening by only allowing the loading of software that has been permitted.

Secure Boot checks the digital signatures of the software and only allows the legitimate ones to be executed. Unsigned, or unauthorized software will not be entertained, nor will it be allowed to run on the system.

To sum up, Secure Boot is a method used to verify whether software or a piece of code is from a legitimate source or an unknown source. If it is from an unknown source, it will not be authorized to be executed on the system.

How Secure Boot works

Although the Windows Security antivirus is present inside the Windows OS to block potential threats, what is Secure Boot needed for and why is it made mandatory for Windows 11?

With Windows 11, Microsoft toughened the security requirements by making Secure Boot mandatory. This made the system more secure, as a whole.

With regards to why Secure Boot is needed; Secure Boot is a security feature that is needed before loading the OS. If the operating system is not loaded, the applications inside, including Windows Security, are useless in protecting the computer from outside threats.

Secure Boot makes sure that no unauthorized program is loaded even before the OS or the firmware is loaded on the system. This is ensured by confirming the cryptographic digital signatures of the software.

First, the firmware manufacturer must generate a secure signature to embed with their software. This is achieved using a Hardware Security Module (HSM) and a private-public key pair is generated.

Next, the firmware and the private key are sent to the HSM to generate a signature using the Elliptic Curve Digital Signature Algorithm (ECDSA) operation. This new signature is then embedded with the firmware, and used by the system to verify its authenticity.

Digital signature is generated
Digital signature is generated

Now, on the computer, the firmware, the public key, and the signature are delivered to the system which contains a similar ECDSA verifier. It then unlocks the cryptographic code using the public key and verifies whether the signature is authentic or not. If it matches the signature, then the software is allowed to be executed.

Digital signature is verified 1
Digital signature is verified

How to disable Secure Boot

Now that you understand what Secure Boot is and what it does, you may need to disable it to modify certain system settings. If using a Windows command line, you may encounter the following error:

The value is protected by Secure Boot policy and cannot be modified or deleted

In this case, you can disable Secure Boot and perform your task. Here are the steps to do it:

  1. Press the Windows Key + i to open the Settings app.

  2. Go to System.

  3. Click Recovery.

    Open Recovery settings
    Open Recovery settings
  4. Click “Restart now” in front of “Advanced startup.”

    Restart computer for advanced startup
    Restart the computer for advanced startup
  5. On the confirmation popup, click “Restart now” again.

    Confirm restart for advanced startup
    Confirm restart for advanced startup

    The computer will now start and then boot into Windows Recovery Environment (WinRE).

  6. Click Troubleshoot.

    Click Advanced options
    Click Advanced options
  7. Then click “Advanced options.”

    Click Advanced options
    Click Advanced options
  8. Click “UEFI Firmware Settings.”

    Enter UEFI firmware settings
    Enter UEFI firmware settings
  9. Now click Restart.

    Restart computer
    Restart computer

    The computer will now reboot again.

  10. Now go to the “Secure Boot” settings.

    Note: Your Secure Boot settings might be under a different section, such as Security or Boot settings.

  11. Uncheck the Secure Boot option.

    You might have slightly different settings, like a radio button or a drop-down menu to disable it.

    Enable Secure Boot from BIOS
    Enable Secure Boot from BIOS
  12. Confirm the action.

    Confirm enablement of Secure Boot
    Confirm enablement of Secure Boot

After performing the steps above, the computer will reboot normally and Secure Boot will be disabled.

How to check Secure Boot status

If you are not sure whether or not Secure Boot is enabled or even available on your system, use these steps:

  1. Press the Windows Key + R to open the Run Command box.

  2. Type in “msinfo23” and press Enter to open the System Summary window .

  3. Here, check for the information in front of “Secure Boot State.”

    Check Secure Boot state from System Information
    Check Secure Boot state from System Information

If Secure Boot is enabled, you will see “On.” However, if it is not enabled, then you will see “Off.” Note that seeing “Off” does not indicate that Secure Boot isn’t available – maybe it is available and simply disabled from the BIOS settings.

In this case, you must verify whether Secure Boot is available directly from the UEFI settings.

Is it safe to disable Secure Boot?

By now you must know what Secure Boot is and what its purpose is. It is meant to keep your computer secure in case of breaches and pre-boot malware attempts. Hence, it can be concluded that Secure Boot keeps your system safe right off the bat.

That said, disabling Secure Boot does not harm your PC directly. However, indirectly, it leaves your PC vulnerable to threats and significantly reduces the security defenses.

It is advised to leave Secure Boot enabled. However, if you must disable it, I recommend re-enabling it as soon as you are done with your tasks.

If you liked this post, Share it on:

Get Updates in Your Inbox

Sign up for the regular updates and be the first to know about the latest tech information

Subhan Zafar is an established IT professional with interests in Windows and Server infrastructure testing and research, and is currently working with Itechtics as a research consultant. He has studied Electrical Engineering and is also certified by Huawei (HCNA & HCNP Routing and Switching).

Leave the first comment