Technical white paper UEFI Secure Boot on HP business notebooks, desktops, and workstations

Boot order for desktops and workstations

On desktops and workstations, the Boot Order menu displays all of the available boot sources in a categorized hierarchy. Each available boot source is presented (as shown below in Figure 11) for one of two primary categories: UEFI Boot Sources or Legacy Boot Sources. Additionally, the Legacy Boot Sources category has a “Hard Drive” sub-category that lists the connection point for each physically-attached, hard-drive-like device. The user may move an entry up or down within any category or sub-category by positioning the cursor next to the desired entry, pressing the ENTER key to select it, using the up and down arrows to reposition the selected entry, and pressing the ENTER key again to accept the new order. The user may also disable any device or category heading in the boot order by using the up and down cursor keys to select the desired entry and pressing the F5 key to change the entry’s state. When disabled, boot order entries are shown in grey, and the text “ : Disabled” is appended to the entry’s descriptive string.

The content of the Boot Order menu can be affected by several other F10 settings.

Legacy Support is automatically disabled when Secure Boot is enabled.

When Legacy Support is disabled in the Secure Boot Configuration Menu, the Legacy Boot Sources category in the Boot Order menu is automatically disabled. Similarly, the Legacy Boot Sources category is automatically enabled when Legacy Support is changed from disabled to enabled.

The Option ROM Launch Policy menu allows the user to control whether only legacy option ROMs, only UEFI option ROMs, or no option ROMs are to control video, mass storage, or network controllers that are detected in the system. The option ROM launch policy for a given controller dictates whether its associated boot sources are shown in the Boot Order menu under UEFI Boot Sources, Legacy Boot Sources, or neither category. Note that all “Legacy-only” option ROM launch policies are automatically switched to “UEFI-only” when Legacy Support is disabled. Likewise, all “UEFI-only” option ROM launch policies are automatically switched to “Legacy-only” when Legacy Support is enabled.

Figure 11. F10 Boot Order when Legacy Support is enabled and disabled (desktops and workstations)

F10 Boot Order when Secure Boot is disabled, Legacy Support is enabled, and all option ROM launch policies are “Legacy-only”. In this example, the SATA0 hard drive legacy boot source has been disabled using the F5 key.

UEFI Boot SourcesUSB Floppy/CD

USB Hard Drive

Windows Boot ManagerLegacy Boot Sources

USB Floppy/CD

Hard Drive

USB Hard Drive

SATA0 : DisabledSATA2Network Controller

F10 Boot Order when Legacy Support is disabled and all option ROM launch policies are “UEFI-only”. In this example, all legacy boot sources have been disabled because Legacy Support is disabled. Also, the IP4 and IP6 UEFI boot sources have replaced the Network Controller legacy boot source because the PXE option ROM launch policy has been forced to change from “Legacy-only” to “UEFI-only”.

UEFI Boot Sources

USB Floppy/CD

USB Hard Drive

Windows Boot Manager

IP4 Intel® Ethernet Connection I217-LMIP6 Intel® Ethernet Connection I217-LMLegacy Boot Sources: Disabled

Windows Vista, Windows 7, and some Linux systems don’t support UEFI Secure Boot. For these systems, enable Legacy Support and disable Secure Boot. With Secure Boot disabled and Legacy Support enabled, note that both UEFI and legacy boot sources are available for boot. This configuration allows for the most flexibility in booting from various devices, but at the cost of not having Secure Boot.

The BIOS will base the boot sequence from the boot order list. If the first device on the boot order list is not bootable, then BIOS will try the next device. The user can permanently change the boot order by changing the F10 Boot Order. For a onetime boot order change, the user can use the Windows 8 interface to set Next Boot to a certain device. This will only be effective at the next boot.

16