Print | Rate this content

HP PCs - Secure Boot (Windows 8)

This document pertains to HP and Compaq PCs with Windows 8 and Secure Boot.

Secure Boot Configuration is a new feature of the Unified Extensible Firmware Interface (UEFI) in BIOS 8 that helps a computer resist attacks and infection from malware. When your computer was manufactured, UEFI created a list of keys that identify trusted hardware, firmware, and operating system loader code. It also created a list of keys to identify known malware.

When Secure Boot is enabled, the computer blocks potential threats before they can attack or infect the computer. For example, Secure Boot can prevent your computer from starting from illegally copied CDs or DVDs that could harm the computer. Secure Boot does not lock out valid recovery discs or Windows discs.

You may have to disable Secure Boot in order to use hardware (such as older video cards) that Secure Boot does not recognize, or to boot from a CD or DVD that is not recognized. If Secure Boot does not recognize hardware, Windows does not use the hardware when it boots up, and you may experience problems starting the computer. If Secure Boot does not recognize a video card, the computer may have a blank display. For more information, see the Troubleshooting section.

System requirements for using Secure Boot

All HP and Compaq computers that were manufactured with Windows 8 can use Secure Boot. Secure Boot is enabled by default on these computers. If you upgrade a computer manufactured with Windows 7 or earlier to Windows 8, you can use Secure Boot only if and AMI BIOS version 8 that is compatible with UEFI (Unified Extensible Firmware Interface) is available for the computer.

NOTE: HP and Compaq Notebook PCs that were manufactured with Windows 7 or earlier may have an available BIOS update that allows the use of Secure Boot. For more information, see Updating the BIOS .
NOTE: HP and Compaq Desktop PCs that were manufactured with Windows 7 or earlier do not have a BIOS version that allows the use of Secure Boot and one will not be made available for these computers.

Using Secure Boot on a NOTEBOOK computer

Most HP notebook computers use the Insyde BIOS. Use the instructions in this section to enable or disable Secure Boot on your notebook computer.

Enabling Secure Boot

Secure Boot is enabled by default on computers that were manufactured with Windows 8. If Secure Boot has been disabled or if you are enabling a Notebook PC that was upgraded to Windows 8, follow these steps to enable it:

  1. Turn off the computer.

  2. Immediately press the Escape key repeatedly, about once every second, until the Startup Menu opens.

    Figure 1: Startup Menu

    Illustration: Startup Menu
  3. Use the right arrow key to choose the System Configuration menu, use the down arrow key to select Boot Options , then press Enter .

    Figure 2: System Configuration menu with Boot Options selected

    System Configuration menu with Boot Options selected
  4. Use the down arrow key to select Secure Boot , press the Enter key, then use the down arrow key to modify the setting to Enabled .

    Figure 3: Secure Boot: Enabled

    Secure Boot sected and Enabled
  5. Press Enter to save the change.

  6. Use the left arrow key to select the File menu, use the down arrow key to select Save Changes and Exit , then press Enter to select Yes .

  7. The Computer Setup Utility closes and the computer restarts.

Disabling Secure Boot

You may want to disable Secure Boot in order to install new hardware or boot from a CD or DVD. Follow these steps to disable Secure Boot:

  1. Turn off the computer.

  2. Immediately press the Escape key repeatedly, about once every second, until the Startup Menu opens.

    Figure 4: Startup Menu

    Illustration: Startup Menu
  3. Use the right arrow key to choose the System Configuration menu, use the down arrow key to select Boot Options , then press Enter .

    Figure 5: System Configuration menu

    System Configuration menu with Boot Options selected
  4. Use the down arrow key to select Secure Boot , press the Enter key, then use the down arrow key to modify the setting to Disabled .

    Figure 6: Secure Boot: Disabled

    Select Disabled
  5. Press Enter to save the change.

  6. Use the left arrow key to select the File menu, use the down arrow key to select Save Changes and Exit , then press Enter to select Yes .

  7. The Computer Setup Utility closes and the computer restarts. When the computer has restarted, the Operating System Boot Mode Change screen appears, prompting you to confirm the Boot Options change. Type the code shown on the screen, then press Enter to confirm the change and continue to Windows.

top

Using Secure Boot on a DESKTOP computer

The BIOS on a desktop computer is different from the BIOS on a notebook computer. Use the instructions in this section to enable or disable Secure Boot on your desktop computer.

Enabling Secure Boot

Secure Boot is enabled by default on computers that were manufactured with Windows 8. If Secure Boot has been disabled, follow these steps to enable it:

  1. Turn off the computer.

  2. Turn on the computer and immediately press the F10 key repeatedly, about once every second, until the Computer Setup Utility opens.

  3. Use the left and right arrow keys to select the Security menu.

    Figure 7: Security menu

    Image of Security menu
  4. Use the up and down arrow keys to select Secure Boot Configuration , and then press Enter .

  5. The Secure Boot Configuration warning displays. Press F10 to continue.

    Figure 8: Secure Boot Configuration

    Image of Secure Boot Configuration warning screen
  6. Use the left and right arrow keys to disable Legacy Support if it is enabled.

    Figure 9: Secure Boot Configuration

    Image of Secure Boot Configuration
  7. Use the up and down arrow keys to select Secure Boot , then use the left and right arrow keys to enable it.

  8. Press F10 to accept the changes.

  9. Press F10 again, then press Enter twice to restart the computer with Secure Boot enabled.

    Figure 10: Save Changes and Exit

    Image of File Menu

Disabling Secure Boot

You may want to disable Secure Boot in order to install new hardware or boot from a CD or DVD. Follow these steps to disable Secure Boot:

  1. Turn off the computer.

  2. Turn on the computer and immediately press the F10 key repeatedly, about once every second, until the Computer Setup Utility opens.

  3. Use the left and right arrow keys to select the Security menu, then use the up and down arrow keys to select Secure Boot Configuration , and then press Enter .

    Figure 11: Security menu

    Image of Security menu
  4. The Secure Boot Configuration warning displays. Press F10 to continue.

    Figure 12: Secure Boot Configuration

    Image of Secure Boot Configuration warning screen
  5. Use the up and down arrow keys to select Secure Boot , then use the left and right arrow keys to change the setting to Disable .

    Figure 13: Secure Boot Configuration

    Image of Secure Boot Configuration
  6. Use the up and down arrow keys to select Legacy Support , then use the left and right arrow keys to change the setting to Enable .

  7. Press F10 to accept the changes.

  8. Press F10 again, then press Enter twice to restart the computer.

    Figure 14: Save Changes and Exit

    Image of File Menu
  9. As soon as the computer starts, a message appears indicating that the boot mode has changed.

    Figure 15: Boot mode change message

    Boot mode change message
  10. Type the four-digit code shown in the message, then press Enter to confirm the change.

    NOTE: No text field displays for the code. This is expected behavior. When you type the numbers, the code is logged without a text field.

    The computer starts Windows 8.

top

Frequently Asked Questions about Secure Boot

Click each question to find the answer to a frequently asked question about Secure Boot.

How does Secure Boot help protect my computer?

Secure Boot Configuration is a new feature of the Unified Extensible Firmware Interface (UEFI) in BIOS 8 that helps a computer resist attacks and infection from malware. When your computer was manufactured, UEFI created a list of keys that identify trusted hardware, firmware, and operating system loader code. It also created a list of keys to identify known malware. When Secure Boot is enabled, the computer blocks potential threats before they can attack or infect the computer. Any malware or other firmware code that is not recognized is blocked. For example, Secure Boot can prevent your computer from starting from illegally copied CDs or DVDs that could harm the computer. Secure Boot does not lock out valid recovery discs or Windows discs.

Is my computer at risk if I disable Secure Boot?

When Secure Boot is disabled, the computer is at greater risk from "Root Kit" infections that inject themselves before the Windows boot process. Anti-virus or Security software typically does not protect against these types of threats.

My computer did not come with Windows 8. Can I still use Secure Boot?

Secure Boot may be available for your computer if you install Windows 8.

If you have an HP or Compaq Desktop computer that was manufactured with Windows 7 or earlier, the correct BIOS version to use Secure Boot is not available. You will not be able to use Secure Boot.

If you have an HP or Compaq Notebook computer that was manufactured with Windows 7 or earlier, a BIOS update that allows the use of Secure Boot may be available. For more information, see Updating the BIOS . After you have updated to a BIOS version that supports Secure Boot, go to Enabling Secure Boot .

top

Troubleshooting problems with Secure Boot

The following sections provide information for resolving issues with Secure Boot. Click each issue to see its solution.

Secure Boot message appears after updating to Windows 8.1

After updating to Windows 8.1 a message, called a watermark, persistently appears in a corner of the screen:

Windows 8.1 Pro

Secure Boot Isn't Configured Correctly

Build 9600

NOTE: The message does not cause system issues nor does it indicate your computer is functioning improperly. You can continue using your computer normally.

This message is shown because Windows detects Secure Boot functionality on the system, but also detects it is not enabled. Windows 8 uses Secure Boot to authenticate a valid loading of the Windows for security purposes.

For many PCs, resetting the BIOS back to defaults can remove this message. Use the following steps to reset the BIOS to default settings:

  1. At the Start screen, press the Windows key + I key.

  2. While holding down the SHIFT key on your keyboard, click Power , and select Shut down .

  3. Wait 5 seconds for the computer to fully shut down.

  4. Press the power button on your computer to turn it on.

  5. Immediately press the F10 key repeatedly, about once every second, until the computer enters into a BIOS Setup utility.

  6. Once the computer opens into the Setup Utility, press the F11 key to restore defaults.

  7. Confirm your selection by responding to the window that opens.

  8. Press F10 and confirm to save settings and exit.

  9. Wait for Windows 8 to load and look to see if the message continues to appear over the screen:

    If the message no longer is shown, you are done.

    If the message persists, continue using these steps to enable Secure Boot.

  10. Restart the computer and immediately press the F10 key repeatedly, about once every second, until the computer enters into a BIOS Setup utility.

  11. Use the arrow and Enter keys to find and enable the Secure Boot setting. The Secure Boot setting can be found in Boot Options from the System Configuration menu (notebook PCs) or from the Security menu (desktop PCs).

    NOTE: If a Secure Boot setting cannot be found or cannot be changed, find the Legacy Mode and/or Fast Boot settings and make sure they are disabled. In the event a BIOS does not show the Secure Boot setting, and it cannot be changed by resetting BIOS to defaults, the BIOS is incompatible and should be updated if an update is available from HP's web site.
  12. Press F10 and confirm to save settings and exit.

The computer does not start or displays a blank screen after installing a new video card

If Secure Boot does not recognize a video that you install, you may experience problems starting the computer, or there might be no video output at all. First remove the new video card and restore the computer to its original configuration so that the computer display works. Then disable Secure Boot and enable Legacy Boot. Once Legacy Boot is enabled, you can install the new video card.

Step 1: Restore the computer to its original configuration

If your computer came with on-board video only and you installed a new video card, remove the video card.

If your computer came with a video card installed and you replaced the original card with a new card, remove the new card. Replace the original card in the computer.

Step 2: Disable Secure Boot and enable Legacy Boot

Follow these steps to disable Secure Boot and enable Legacy Boot:

  1. Turn off the computer.

  2. Turn on the computer and immediately press the F10 key repeatedly, about once every second, until the Computer Setup Utility opens.

  3. Use the left and right arrow keys to select the Security menu, then use the up and down arrow keys to select Secure Boot Configuration , and then press Enter .

    Figure 16: Security menu

    Image of Security menu
  4. The Secure Boot Configuration warning displays. Press F10 to continue.

    Figure 17: Secure Boot Configuration

    Image of Secure Boot Configuration warning screen
  5. Use the up and down arrow keys to select Secure Boot , then use the left and right arrow keys to change the setting to Disable .

    Figure 18: Secure Boot Configuration

    Image of Secure Boot Configuration
  6. Use the up and down arrow keys to select Legacy Support , then use the left and right arrow keys to change the setting to Enable .

  7. Press F10 to accept the changes.

  8. Press F10 again, then press Enter twice to restart the computer.

    Figure 19: Save Changes and Exit

    Image of File Menu
  9. As soon as the computer starts, a message appears indicating that the boot mode has changed.

    Figure 20: Boot mode change message

    Boot mode change message
  10. Type the four-digit code shown in the message, then press Enter to confirm the change.

    NOTE: No text field displays for the code. This is expected behavior. When you type the numbers, the code is logged without a text field.

    The computer starts Windows 8.

Step 3: Install the new video card

Turn off the computer and install the desired video card in the computer. Make sure the card is compatible with the computer.

The computer displays a blue screen or BIOS error message after installing new hardware

If Secure Boot does not recognize hardware that you install, you may experience problems starting the computer or see a blue screen or BIOS error message. You can remove the new hardware and replace it with the old hardware to boot into Windows normally, or you can disable Secure Boot and enable Legacy Boot. Follow these steps to disable Secure Boot and enable Legacy Boot:

  1. Turn off the computer.

  2. Turn on the computer and immediately press the F10 key repeatedly, about once every second, until the Computer Setup Utility opens.

    NOTE: If you cannot enter the Computer Setup Utility by pressing F10, remove the new hardware and restore the computer to its original configuration. Then repeat this step to enter the Computer Setup Utility.
  3. Use the left and right arrow keys to select the Security menu, then use the up and down arrow keys to select Secure Boot Configuration , and then press Enter .

    Figure 21: Security menu

    Image of Security menu
  4. The Secure Boot Configuration warning displays. Press F10 to continue.

    Figure 22: Secure Boot Configuration

    Image of Secure Boot Configuration warning screen
  5. Use the up and down arrow keys to select Secure Boot , then use the left and right arrow keys to change the setting to Disable .

    Figure 23: Secure Boot Configuration

    Image of Secure Boot Configuration
  6. Use the up and down arrow keys to select Legacy Support , then use the left and right arrow keys to change the setting to Enable .

  7. Press F10 to accept the changes.

  8. Press F10 again, then press Enter twice to restart the computer.

    Figure 24: Save Changes and Exit

    Image of File Menu
  9. As soon as the computer starts, a message appears indicating that the boot mode has changed.

    Figure 25: Boot mode change message

    Boot mode change message
  10. Type the four-digit code shown in the message, then press Enter to confirm the change.

    NOTE: No text field displays for the code. This is expected behavior. When you type the numbers, the code is logged without a text field.

    The computer starts Windows 8.

  11. If you removed the new hardware, turn off the computer and install the hardware in the computer. Make sure the hardware is compatible with the computer.

    For more information, see the Microsoft support page: Windows 8 with Secure Boot enabled may no longer boot after installing new hardware Non-HP site (in English).

I cannot boot from a CD or DVD (such as an HP Recovery disc) when Secure Boot is enabled

HP computers that come with Windows 8 installed have Secure Boot enabled by default. Having Secure Boot enabled prevents legacy boot devices from starting your computer, including bootable CDs and DVDs.

To start your computer from a valid bootable disc, such as an HP recovery disc, disable Secure Boot and enable Legacy Support in the BIOS, and then use the Boot Menu to select the CD/DVD drive as the boot device.

Step 1: Disable Secure Boot and enable Legacy Boot

Follow these steps to disable Secure Boot and enable Legacy Boot:

  1. Turn off the computer.

  2. Turn on the computer and immediately press the F10 key repeatedly, about once every second, until the Computer Setup Utility opens.

  3. Use the left and right arrow keys to select the Security menu, then use the up and down arrow keys to select Secure Boot Configuration , and then press Enter .

    Figure 26: Security menu

    Image of Security menu
  4. The Secure Boot Configuration warning displays. Press F10 to continue.

    Figure 27: Secure Boot Configuration

    Image of Secure Boot Configuration warning screen
  5. Use the up and down arrow keys to select Secure Boot , then use the left and right arrow keys to change the setting to Disable .

    Figure 28: Secure Boot Configuration

    Image of Secure Boot Configuration
  6. Use the up and down arrow keys to select Legacy Support , then use the left and right arrow keys to change the setting to Enable .

  7. Press F10 to accept the changes.

  8. Press F10 again, then press Enter twice to restart the computer.

    Figure 29: Save Changes and Exit

    Image of File Menu
  9. When the computer has restarted, use the power button to turn the computer off.

Step 2: Select the CD/DVD drive as the boot device

Follow these steps to select the CD/DVD drive as the boot device in the Boot Menu.

  1. Press the power button to turn the computer on. As soon as the computer starts, a message appears indicating that the boot mode has changed.

    Figure 30: Boot mode change message

    Boot mode change message
  2. Type the four-digit code shown in the message, then press Enter to confirm the change.

    NOTE: No text field displays for the code. This is expected behavior. When you type the numbers, the code is logged without a text field.

    The computer starts Windows 8.

  3. Press the power button to turn off the computer, wait a few seconds, then turn on the computer and immediately press the Escape key repeatedly, about once every second, until the Startup menu opens.

  4. Press F9 to open the Boot Menu.

    Figure 31: Boot Menu

    Boot Menu
  5. Use the down arrow key to select the SATA device under the ATAPI CD/DVD drive heading, then press Enter to select the CD/DVD drive as the boot device.

    The computer starts Windows 8.

  6. Insert the bootable CD or DVD into the CD/DVD drive.

  7. Press the power button to turn the computer off and wait about 5 seconds.

  8. Press the power button again to turn the computer on.

    The computer starts from the CD or DVD.

top

Provide feedback

Please rate the information on this page to help us improve our content. Thank you!