Can I disable and then re-enable secure boot?
September 28, 2018 2:47 PM   Subscribe

I want to be able to boot my computer from external USB drives and such. I believe secure boot is preventing me from doing this. Is this true? There's a Microsoft page that suggests that if I disable secure boot, "it may be difficult to re-activate Secure Boot without restoring your PC to the factory state". Is this true? I can't find any other similar statement on the web.

I have an HP ENVY All-in-One - 27-b119. There are dire warnings when I go into the BIOS option to disable secure boot. Scary. With previous computers, I have sometimes found it useful to be able to boot from an external drive with a repair disc. I can't do that with this one. (Don't need to yet, but . . . ).
I would like to disable SB, try out a few things, and then re-enable it. Possible? Advisable? Perhaps I should just wait until I need to do the external boot?
What about (horrors!) disabling it permanently? From what I read, no one really feels it's horribly unsafe.
posted by feelinggood to Computers & Internet (3 answers total) 1 user marked this as a favorite
Best answer: BIOS will boot from anything. But there is a certain risk to booting from general sources: malware might replace your boot loader, and then you're hosed. Secure Boot prevents this by only booting from devices signed by Microsoft (or someone else who has paid Microsoft to let them sign their own devices). It is true that once you disable Secure Boot, you are running the risk of something damaging your boot loader, and perhaps even damaging the Secure Boot keys. Then it is certainly true that you would not be able to reactivate Secure Boot without restoring the PC to factory state. OTOH, the feature is designed to be turned off and turned back on again. Microsoft is warning you because they have something to lose, and nothing to gain, if you boot up some non-Microsoft source. But if you are prepared, by using other security mechanisms, to guarantee that your repair disk and disk firmware won't introduce problems, you'll probably be safe.

Though I have to say I don't think I'd do it until I needed to.
posted by ubiquity at 3:28 PM on September 28, 2018

Best answer: The only thing I can think would be a problem is that switching between Secure/UnSecure boot in the BIOS might reset the BIOS to factory state. You loose any BIOS changes you've made. Most people don't tweak the BIOS, but some people might have needed to. Other than that... It's just "do I check the block I booted from" to make sure that it's signed by a "key that I trust". It should just be a ON/OFF switch: boot anything, boot only trusted.
posted by zengargoyle at 3:32 PM on September 28, 2018

Though actually, usually... mose UEFI USB are not Secure/UnSecure -ly problematic. It's usually UEFI vs Legacy Boot.
If you haven't enabled Legacy Boot in your BIOS, you might try that as well.
posted by zengargoyle at 3:36 PM on September 28, 2018

« Older Am I an antisocial roommate?   |   Going from car owning to car leasing with a... Newer »
This thread is closed to new comments.