Quick Links
New Windows PCs come with UEFI firmware and Secure Boot enabled. Secure Boot prevents operating systems from booting unless they're signed by a key loaded into UEFI -- out of the box, only Microsoft-signed software can boot.
Microsoft mandates that PC vendors allow users to disable Secure Boot, so you can disable Secure Boot or add your own custom key to get around this limitation.
How Secure Boot Works
PCs that come with Windows 10 or Windows 11 include UEFI firmware instead of the traditional BIOS. By default, the machine's UEFI firmware will only boot boot loaders signed by a key embedded in the UEFI firmware. This feature is known as "Secure Boot" or "Trusted Boot." On traditional PCs without this security feature, a rootkit could install itself and become the boot loader. The computer's BIOS would then load the rootkit at boot time, which would boot and load Windows, hiding itself from the operating system and embedding itself at a deep level.
Secure Boot blocks this -- the computer will only boot trusted software, so malicious boot loaders won't be able to infect the system.
On an Intel x86 PC (not ARM PCs), you have control over Secure Boot. You can choose to disable it or even add your own signing key. Organizations could use their own keys to ensure only approved Linux operating systems could boot, for example.
Options for Installing Linux
You have several options for installing Linux on a PC with Secure Boot:
- Choose a Linux Distribution That Supports Secure Boot: Modern versions of Ubuntu -- starting with Ubuntu 12.04.2 LTS and 12.10 -- will boot and install normally on most PCs with Secure Boot enabled. This is because Ubuntu's first-stage EFI boot loader is signed by Microsoft. However, a Ubuntu developer notes that Ubuntu's boot loader isn't signed with a key that's required by Microsoft's certification process, but simply a key Microsoft says is "recommended." This means that Ubuntu may not boot on all UEFI PCs. Users may have to disable Secure Boot to to use Ubuntu on some PCs.
- Disable Secure Boot: Secure Boot can be disabled, which will exchange its security benefits for the ability to have your PC boot anything, just as older PCs with the traditional BIOS do. This is also necessary if you want to install an older version of Windows that wasn't developed with Secure Boot in mind, such as Windows 7.
- Add a Signing Key to the UEFI Firmware: Some Linux distributions may sign their boot loaders with their own key, which you can add to your UEFI firmware. This doesn't seem to be a common at the moment.
You should check to see which process your Linux distribution of choice recommends. If you need to boot an older Linux distribution that doesn't provide any information about this, you'll just need to disable Secure Boot.
You should be able to install current versions of Ubuntu -- either the LTS release or the latest release -- without any trouble on most new PCs. See the last section for instructions on booting from a removable device.
How to Disable Secure Boot
You can control Secure Boot from your UEFI Firmware Settings screen. To access this screen, you'll need to access the boot options menu in Windows 10 or Windows 11. To do this, click the Power Button on the Start Menu and hold down the Shift key as you click Restart. In Windows 11 this will look slightly different, but it's the same operation.
Your computer will restart into the advanced boot options screen. Click the Troubleshoot option here.
Then you'll want to click on "Advanced options" on the next screen.
And now, finally, you are at the Advanced options screen, which seems like it could have shown up at the last screen, but whatever. Now you can click the UEFI Firmware Settings button here. (You may not see the UEFI Settings option on a few Windows PCs, even if they come with UEFI -- consult your manufacturer's documentation for information on getting to its UEFI settings screen in this case.)
You'll be taken to the UEFI Settings screen, where you can choose to disable Secure Boot or add your own key. This will look different on every computer, and probably won't be so blurry on your computer in real life.
Boot From Removable Media
You can boot from removable media by accessing the boot options menu in the same way -- hold Shift while you click the Restart option. Insert your boot device of choice, select Use a device, and select the device you want to boot from.
After booting from the removable device, you can install Linux as you normally would or just use the live environment from the removable device without installing it.
Bear in mind that Secure Boot is a useful security feature. You should leave it enabled unless you need to run operating systems that won't boot with Secure Boot enabled.
Linux Commands | ||
Files | tar·pv· cat·tac·chmod ·grep · diff· sed·ar· man·pushd·popd·fsck·testdisk·seq·fd·pandoc·cd·$PATH·awk·join·jq·fold·uniq·journalctl·tail·stat·ls·fstab·echo·less·chgrp·chown·rev·look·strings·type·rename·zip·unzip·mount·umount·install·fdisk·mkfs ·rm·rmdir ·rsync ·df ·gpg ·vi ·nano ·mkdir ·du ·ln ·patch ·convert ·rclone·shred·srm ·scp ·gzip·chattr ·cut ·find ·umask ·wc · tr | |
Processes | alias ·screen· top· nice·renice· progress·strace·systemd·tmux·chsh·history·at·batch·free·which·dmesg·chfn·usermod·ps· chroot·xargs·tty·pinky·lsof·vmstat·timeout·wall·yes·kill·sleep·sudo·su·time ·groupadd·usermod ·groups ·lshw ·shutdown·reboot·halt·poweroff ·passwd ·lscpu ·crontab ·date ·bg ·fg ·pidof ·nohup ·pmap | |
Networking | netstat·ping·traceroute·ip·ss·whois·fail2ban·bmon·dig·finger·nmap·ftp· curl· wget ·who·whoami·w ·iptables ·ssh-keygen · ufw ·arping ·firewalld |
RELATED: Best Linux Laptops for Developers and Enthusiasts
ncG1vNJzZmivp6x7qbvWraagnZWge6S7zGhocG1maX5wtM6wZK2nXZe8sMCMmqWdZZmjwLWty6VkpaGeqsVuu81mmGatlZu2brzCZq6irJhiwKav1KucZpqfpMFw