4353_Figure-3---Secured-boot-path-with-UEFI_7BBA93DAWhat is Secure Boot?
Secure Boot is a security standard developed by members of the PC industry to help make sure that your PC boots using only software that is trusted. This is a technology to prevent Rootkits. Windows 8 and above supports Secure Boot as does Windows Server 2012 and above.

How does it work? (High Level)
When the PC starts, the firmware checks the signature of each piece of boot software, including firmware drivers (Option ROMs) and the operating system. If the signatures are good, the PC boots, and the firmware gives control to the operating system.

How do I tell if it is working?
Just because you have new hardware that has a UEFI BIOS and you are running a version of Windows that supports Secure Boot doesn’t mean that you are running it. It is a bit more complicated than that.

1 Open a PowerShell Command Prompt and run as Administrator image
2 Run command:
Confirm-SecureBootUEFI
image

Possible Cmdlet Returns:

True – All good! Your PC supports Secure Boot and Secure Boot is enabled
False – PC supports Secure Boot but Secure Boot is disabled (you may have a watermark on your desktop warning you of this)
Cmdlet not supported on this platform – This PC does not support Secure Boot or is setup in a Compatibility Support Module (CSM) Legacy BIOS mode.

 

For a good overview on what Secure Boot is see Steven Sinofsky’s old blog post:
Protecting the pre-OS environment with UEFI
http://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-the-pre-os-environment-with-uefi.aspx

For information on installing Windows to Support Secure boot see my previous post:
Installing Windows 8.1 from a USB Stick under a UEFI BIOS and Secure Boot
http://mythoughtsonit.com/2014/05/installing-windows-8-1-from-usb-to-a-uefi-secure-boot-machine/