New Windows PCs come with UEFI firmware and Secure Boot enabled. Secure Boot prevents operating systems from booting unless they’re signed by a key loaded into UEFI — out of the box, only Microsoft-signed software can boot.
Microsoft mandates that PC vendors allow users to disable Secure Boot, so you can disable Secure Boot or add your own custom key to get around this limitation.
How Secure Boot Works
PCs that come with Windows 10 or Windows 11 include UEFI firmware instead of the traditional BIOS. By default, the machine’s UEFI firmware will only boot boot loaders signed by a key embedded in the UEFI firmware. This feature is known as “Secure Boot” or “Trusted Boot.” On traditional PCs without this security feature, a rootkit could install itself and become the boot loader. The computer’s BIOS would then load the rootkit at boot time, which would boot and load Windows, hiding itself from the operating system and embedding itself at a deep level.
Secure Boot blocks this — the computer will only boot trusted software, so malicious boot loaders won’t be able to infect the system.
RELATED: How Secure Boot Works…
Read Full Article Source