Maybe this will be helpful to some of you. I shuffled some parts around, and one of my goals was to get Secure Boot enabled on a system.
"Hmmm, the old mobo was Intel Z68, the new one's Z77."
So I transplanted the old Windows 8 drive to the new mobo, which is a Gigabyte with a beta BIOS that supports Secure Boot if you enable it. Then I started up Windows, it Discovered New Hardware™ and booted. And naturally I had to talk to the excessively-cheerful Microsoft Activation Robot
Next, I ran the built-in Windows PowerShell as an Administrator and ran the command help secureboot
, since I never remember the syntax for the command that verifies SecureBoot is working. Well there it is: Confirm-SecureBootUEFI
What you want it to say, is simply TRUE
. In my case, I got a bunch of red text that boiled down to DUDE, YOU'RE DOING IT WRONG.
So I was all but the previous boot drive on this mobo was SecureBooting fine, so what's different?
And the answer is that this instance of Win8 was originally installed with a non-UEFI, non-SecureBootable motherboard.
The solution: reinstall Windows 8. I also made sure the boot options were "UEFI only" in case there was a way for it to fall back on a "legacy" option.
Why would you want Secure Boot? Basically, it prevents bootkits (the infamous TDL aka TDSS family, for example), which get between the hardware and the OS and can effectively rootkit the OS from the outside, and then it's Welcome to The Matrix. The BIOS itself will refuse to boot the system from code that's not whitelisted with the appropriate digital signature. There are downsides, like not being able to boot just any OS, so it may not be for everyone. But it's under your control via a BIOS setting, so hey.
If you're interested in using SecureBoot then you may also be interested in knowing that Intel's Ivy Bridge-core processors all have a new security enhancement that's similar to Data Execution Prevention. It prevents the OS kernel from executing stuff in user memory, which thwarts some types of privilege-escalation exploits. Win8 supports this feature (SMEP) and I believe Linux has begun supporting it as well. So if you're considering a new Intel box, you probably want Ivy Bridge or later.