How Windows 10 Uses UEFI - dummies

By Woody Leonhard

Windows 10 will pull the industry kicking and screaming out of the BIOS generation and into a far more capable — and controversial — alternative, Unified Extensible Firmware Interface (UEFI). A UEFI Secure Boot option in Windows 10 validates programs before allowing them to run. If Secure Boot is turned on, operating system loaders have to be “signed” using a digital certificate.

Although UEFI machines in the time of Windows 7 were unusual, starting with Windows 8, every new machine with a Runs Windows 8 sticker is required to run UEFI; it’s part of the licensing requirement. Windows 10 continues the same requirement. ‘Tis a brave new world.

If you want to dual boot between Windows 10 and Linux, the Linux program must have a digital certificate — something Linux programs have never required before.

After UEFI validates the digital key, UEFI calls on Windows Defender to verify the certificate for the OS loader. Windows Defender (or another security program) can go out to the Internet and check to see whether UEFI is about to run an OS that has had its certificate yanked.

So, in essence, in a dual boot system, Windows Defender decides whether an operating system gets loaded on your Secure Boot-enabled machine.

That curls the toes of many Linux fans. Why should their operating systems be subject to Microsoft’s rules, if you want to dual boot between Windows 10 and Linux?

If you have a PC with UEFI and Secure Boot and you want to boot an operating system that doesn’t have a Microsoft-approved digital signature, you have two options:

  • You can turn off Secure Boot.

  • You can manually add a key to the UEFI validation routine, specifically allowing that unsigned operating system to load.

Some PCs won’t let you turn off Secure Boot. So if you want to dual boot Windows 10 and some other operating system on a Windows 10-certified computer, you may have lots of hoops to jump through. Check with your hardware manufacturer.