What is UEFI?
Unified Extensible Firmware Interface or UEFI, is essentially an interface to the hardware. Before the advent of UEFI, the BIOS was used to execute a boot loader, which in turn would load the operating system. In the case of UEFI, it is possible to boot the operating system directly without the use of a boot loader. One of the reasons why BIOS executed a boot loader was it was initially limited to 16-bits. Thus, it needed a boot loader to essentially provide a 16 to 32- or 64-bit boot strap to boot the operating system. Once the operating system is booted, it can access the hardware through UEFI or BIOS or directly.
UEFI is, however, very different from BIOS. Depending on who you ask, it is BIOS on steroids or a bloated BIOS full of extra features that are not needed. Regardless of the case, UEFI is here to stay, and it is highly likely that if you purchase a new computer nowadays, it will be using UEFI. I will now have a look at how to configure it.
Demonstration UEFI
To start with, I will switch on the computer. The UEFI and BIOS setup is often just called computer setup to cover both types of technology. You may hear the computer setup also called UEFI setup and UEFI settings. Sometimes you will hear UEFI also referred to as BIOS which is technically incorrect. Using BIOS for UEFI is simply because we are so used to using this older terminology.
To get into your computer’s setup, when the computer starts up, you should see the key you need to press to get into the computer’s setup, in this case the delete key. If you have fast booting enabled, this screen may not be displayed. If this is the case, you may need to look in the manual to work out which key to press. If fast boot is enabled, it can be very difficult to press the key at the right time.
If you are not quick enough and Windows boots, there is a workaround. Hold down the shift key and while you have it held down, select “Restart”. The computer will show a menu. Select “Troubleshoot”.
In the troubleshooting menu, select the option “Advanced options”. In this screen, select the option “UEFI Firmware Settings” and then select “Restart”. The computer will restart and automatically go into the computer’s setup. If you are having problems getting into computer setup, this is a good workaround.
Some computers will have an easy and an advanced mode. For this computer, to change modes, press the option at the top of the screen. In this case, it will switch it to easy mode.
Easy mode does not have as many options as advanced mode; however, it does display common information in an easy-to-read way. In some cases, you may be able to achieve what you need in easy mode; however, I generally use advanced mode since everything is in advanced mode, whereas in easy mode a lot of settings are missing. So, I will press advanced to switch back to advanced mode.
To access the settings, I will select the settings option on the left-hand side. I won’t have a look at all the settings, I will just look at the more common ones plus some settings that are useful to know for troubleshooting.
To start with, I will select the option “System Status”. This will show you some basic information about the computer – this includes some information about the CPU and BIOS versions. I tend to find that, if it is not a proprietary computer, UEFI tends to provide more information than BIOS does.
To get more information, I can select the option “DMI Information”. In this screen, you can see there is a lot more information. Some can potentially be configured using tools provided by the manufacturer. For example, you could configure a company asset tag. These settings are readable by the operating system including auditing software.
I will go back to the main menu. From the main menu, I will select the option ”Advanced”. In this computer setup, most of the options are found here. With different computers, the settings options may be laid out very differently.
I will next select the option “PCIe/PCI Subsystem Settings”. This allows me to configure some settings on how expansion cards will work on the computer. Under normal circumstances you would not need to change any of them.
The setting “PCI_E1 Gen Switch”, allows the generation to be configured to be used by the expansion slot. Under normal circumstances the computer will select the generation it requires. For example, it is common for video cards to use generation one and then under load go to the highest generation it supports. Using a lower generation uses less power.
If you have a computer where you want to keep the power use low, you could reduce the generation setting. Most of the time this setting would be used if you are using a riser cable. In this computer I have mounted the video card in a riser expansion slot. In order to connect the video card in this position, I had to use two riser cables. This will effectively extend the PCI Express slot so an expansion card can be used in a different position. Using a riser cable like this increases the length the signal from the computer has to travel, which will degrade the signal. If you are having trouble getting the video card to work correctly, you may want to consider reducing the generation of PCI Express in order to improve reliability.
I will now exit out of here and go down to the option “PCI_E1 Lanes Configuration”. This option allows you to configure how the lanes on the computer will be allocated. Generally speaking, I would leave this on auto. However, you may have a configuration in which you want to change it. The settings may be different depending on what motherboard and CPU you are using; in this case, if I had Solid-State-Drives and a second video card, I may want to change this setting. For example, if I want the Solid-State-Drive to get more lanes and the graphics card to get less. Changing this setting may also change what generation the lane supports. Refer to your motherboard manual to find out how the lanes are allocated. It gets complicated, so I would leave it on auto unless you really need to change it.
I will next exit from here and select the menu option “ACPI Settings”. These settings affect how power saving will work on the computer. Of importance is the option “CPU Over Temperature Alert”. This will alert you if the CPU temperature goes too high. It is best to ensure that alerts like these are enabled.
I will go back to the main menu and select the option “Integrated Peripherals”. This menu allows you to enable and configure devices on the computer. If the computer is being used in a secure environment, you may want to disable any hardware that you don’t require.
The option “SATA Mode” determines what mode the SATA connections will operate in. In some older computers you may also have an IDE option for compatibility with older hard disks. Nowadays, you should not have a need to use this option and you should use AHCI which is the newer standard. It is important this is set before you install Windows as Windows will not boot if you change it later. In order to change it after Windows is installed, you need to use a workaround.
If the option RAID is selected, this means the hard disks connected to this motherboard will be managed by the motherboard. RAID essentially allows you to group multiple storage devices together so they will act as one.
I will exit out of here and next select the option “Integrated Graphics Configuration”. This will have the options for the video card and also integrated graphics if you have them. To use integrated graphics, your CPU needs to support it.
I will next select the option “Initiate Graphic Adapter.” This option allows you to configure which graphics adapter will be used when the computer first starts up. That is, which graphics card will be used as the integrated CPU graphics adapter first when the computer starts up, otherwise known as the primary adapter. The option you select will be used to display the startup screens. Once an operating system has booted, it can configure each graphic adapter any way it wants.
I will exit out of here and next select the option “Integrated Graphics”. This option controls how memory is allocated to the integrated graphics adapter. Integrated graphics uses main memory to make up for having a very limited amount of its own. This option controls how it will allocate it. Integrated graphics won’t be as fast as having a dedicated graphics card; however, if you are having performance problems, this may be an option to increase the amount of main memory the graphics adapter is using and thus may improve performance.
I will now go back to the main menu and select the option “USB Configuration”. Generally, options for USB should be left on the defaults unless you have a good reason to change them. The option “Legacy USB Support” provides support for USB devices during boot up before the operating system has booted. For example, keyboards. If you are having trouble getting into the computer’s setup, it may be because this option is not enabled.
I will go back to the previous menu and select the option “Super IO Configuration.” As technology improved, chips were able to contain more and more. Older devices started getting grouped together into a single chip called the Super IO. Thus, legacy devices may be found in the Super IO section. In this computer’s setup, the only device in here is a serial device. As time goes on, don’t be surprised if Super IO disappears altogether.
I will go back to the previous menu and select the option “Power Management Setup”. I would generally leave these on the default settings unless you have a good reason to change them. For example, what the computer is going to do if the power to the computer is suddenly lost.
I will go back to the main menu and select the option “Windows OS Configuration”. This option is “BIOS CSM/UEFI Mode”. This option can be set to CSM or UEFI and determines if the computer will run CSM, which stands for Compatibility Support Module. When this is enabled, the computer will support older legacy hardware. The drawback to this is that other functions in the computer may then be disabled, for example, fast boot. If you don’t require any legacy hardware to be used, you can set this to UEFI. Keep in mind that if you change it later, it may disable other features. If you do change it, it is a good idea to have a look through the computer’s setup and see what else has changed. If nothing has changed, you just need to save the setting and restart the computer.
I will now go back to the main menu and select the option “Wake Up Event Setup”. In this menu, you can configure what will wake the computer. For example, if you want to wake up the computer using the keyboard or mouse.
I will go back to the previous menu and select the option “Secure Erase+”. This option will securely erase the Solid-State-Drive. When I select yes, the computer will then restart. The restart is done so the computer can get access to the drive settings which normally could not be accessed in order to protect the Solid-State-Drive from being hi-jacked.
Once the restart is done, it will take me into the Secure Erase tool. I will now select my Solid-State-Drive and then press yes to start the process. You will notice, it only takes a few seconds to complete. So clearly it did not erase all the data. So, the question is, what did it do?
Secure Erase changes the state of a Solid-State-Drive back to its factory settings. A Solid-State-Drive has a number of settings that are used to access the data. This includes drive statistics which are used to work out how to write data to the drive. A translation layer works out where the blocks on the drive are, since the Solid-State-Drive can store them in a different order than the operating system sees them. Also, if your Solid-State-Drive supports it, the data itself is encrypted.
Secure Erase removes the translation layer, changes the encryption key and resets the drive stats. The data on the drive itself remains untouched. This is why it took so little time. A translation layer is like having a book where the pages are random and the only way to find anything is by looking at the index. Deleting the translation layer is effectively pulling the index out of the book. Without the index, you won’t be able to find the data.
Secure Erase does require the manufacturer to implement it, thus you are effectively relying on the manufacturer to have implemented it correctly. In some cases, the data may be marked to be erased and the Solid-State-Drive will erase it in down time or when new data is written to it.
Re-creating the encryption key essentially means you won’t be able to decrypt existing data. Thus, even if Secure Erase does not delete the data, you won’t be able to physically read it since the key is lost. Keep this in mind if you are planning to give the Solid-State-Drive away.
Deleting all the drive statistics and other related settings, essentially puts the Solid-State-Drive back to its optimal settings. Formatting the drive will leave residual data and performance statistics. Since you are starting again, these statistics won’t be valid anymore. Slowly over time, the Solid-State-Drive will adapt and the settings will change. However, during this time it won’t perform as well as it can, even though data has been removed, as it may still be moving residual data around thinking it is still needed. Secure Erase essentially marks everything as free and returns the drive back to its optimal settings. Now the drive adapts to the new data you are putting on it.
If you are going to re-install the operating system, to get optimal performance, it is not a bad idea to Secure Erase the Solid-State-Drive before the installation. If you are planning to give the drive to someone else, it is worth looking to see if the manufacturer of the Solid-State-Drive has a tool that will sanitize the drive. Sanitizing goes one step further by making sure the data, even though it is encrypted, is removed from the drive. If you work for a company, you may want to sanitize any drives before they are given away.
Now that I have had a look at Secure Erase, I will go back to where I was before selecting Secure Erase and look at the other UEFI settings. The next option is “MSI Drive Utility Installer”. This option allows updates to be downloaded for the computer using Windows Update. Some computers will have the option to update the computer’s firmware using the internet. If the computer is in a controlled environment, you may want to disable this feature, so you will have more control over what updates are applied to it.
The next setting is “AMD overclocking”. If you want to overclock the CPU, the settings are in here. A lot of motherboards nowadays will have overclocking settings. There are also additional overclocking settings on the right-hand side under OC. These settings allow the timings for memory and other settings to be changed. Generally, I don’t recommend overclocking a computer as the default settings will throttle speeds up and down as required. The default settings are generally quite stable. Once you change these speeds, you may increase the performance of the computer, but you may also make it less stable.
I will now change computers to have a look at a different UEFI setup. I won’t go through the same settings as covered previously, just look at the settings that are different.
I will select “Advanced” which has most of the options for this computer’s setup. I will next select the option “CPU Configuration”. I will scroll down to “Intel (VMX) Virtualization Technology” and enable it. This will allow hardware virtualization acceleration that is required by certain virtualization solutions like Hyper-V. The name may change depending on whether you have an AMD or Intel CPU. It may also change depending on which UEFI you are running. On older computers it tends to be disabled, on newer computers it tends to be enabled.
I will go back to the previous menu and select the option “PCH-FW Configuration”. The names of the menus can be a little cryptic. In this case it stands for Platform Controller Host Firmware. If you are not sure what the menu means, I would suggest opening the menu and having a look at what options are available.
This menu selects the TPM or Trusted Platform Module. The TPM holds security settings which are required by Secure Boot and drive encryption solutions like BitLocker. You will notice that I have two options: dTPM is a physical hardware TPM and PTT is embedded in the UEFI. This may also be called fTPM.
I will now go back to the previous menu and select the option “Network Stack Configuration”. In this menu, I can enable the network stack which essentially allows the computer to boot from the network. You also have the option to select if you want to use IPv4 and IPv6 or both. In this case, I will disable IPv6. Disabling options you don’t need may make the computer boot up a bit faster depending on what it is you disable.
I will now go back to the previous menu and then select the menu option “Boot”. I will select the option “Compatibility Support Module”. This allows old legacy hardware that does not support UEFI to run on the computer. You will notice that I am able to configure which devices are available on legacy and UEFI or switch them off completely.
In this case I will disable booting from PCI Express and PCI devices and set storage devices to UEFI. When the computer boots, it will attempt to boot from the devices that are configured. Switching them off can improve the security of the computer. Depending on your startup options, it may make it boot faster as well.
I will next select “Secure Boot”. Secure Boot is a system that checks the operating system is approved to be used by the manufacturer. It can also check to see if the operating system has been modified at all. If it has, the system won’t boot. Operating systems like Windows 11 require Secure Boot. If you are running an alternative operating system, it may not support this feature. Thus, you may have to switch off Secure Boot in order to get it to boot.
In some cases, the manufacturer of the operating system may provide you with some keys. When this occurs, you can add the keys under “Key Management”. Major operating systems will be supported and won’t need to be added.
I will go back to the previous menu and enable the option “Fast Boot”. Fast boot will boot the operating system faster; however, it won’t perform as many hardware tests. It may also have compatibility problems with certain hardware. If it works for you, your computer will boot up a lot faster.
That is all the UEFI settings that I want to look at. When you start working with a new computer, it is worth having a look through all the menus and see what settings are available. With different computers, the settings may be in very different places. Some computers will have certain options and other computers will not.
End Screen
That concludes this video from ITFreeTraining on UEFI settings. I hope that you have found this video informative. Until the next video from us, I would like to thank you for watching.
References
“The Official CompTIA A+ Core Study Guide (Exam 220-1101)” pages 90 to 96
Credits
Trainer: Austin Mason https://ITFreeTraining.com
Voice Talent: HP Lewis http://hplewis.com
Quality Assurance: Brett Batson https://www.pbb-proofreading.uk