How do I use the BIOS/UEFI?

Applies to: Surface Devices

Use the latest firmware interface, the Unified Extensible Firmware Interface (UEFI).

UEFI offers new features including faster startup and improved security. It replaces BIOS (basic input/output system).

Surface Pro 4, Surface Pro (5th Gen), Surface Pro (5th Gen) with LTE Advanced, Surface Pro 6, Surface Laptop (1st Gen), Surface Laptop 2, Surface Book, Surface Book 2, Surface Studio (1st Gen), and Surface Studio 2 use a new UEFI called Surface UEFI. For more info, see How to use Surface UEFI.

What firmware features can I use?

You can access the following firmware features on any Surface Pro model or Surface 3:

  • Secure Boot Control. Secure Boot technology blocks the loading of uncertified bootloaders and drives.

  • Trusted Platform Module (TPM). TPM technology provides a major advancement over BIOS in hardware-based security features.

How do I get to the UEFI settings?

Video: Get to UEFI settings on a Surface

The UEFI settings can be adjusted only during system startup. To load the UEFI firmware settings menu:

  1. Shut down your Surface.
  2. Press and hold the volume-up button on your Surface and at the same time, press and release the power button.
  3. When you see the Surface logo, release the volume-up button.
    The UEFI menu will display within a few seconds.

UEFI menu options

Which UEFI settings you can modify depends on which Surface model you have.

Surface Pro or Surface Pro 2

  • Trusted Platform Module (TPM)
    The currently configured state of TPM (Enabled or Disabled) is highlighted. To change the state, select the other one. When you’re finished, select Exit Setup > Yes.

  • Secure Boot Control
    The currently configured state of Secure Boot (Enabled or Disabled) is highlighted. To change the state, select the other one. When you’re finished, select Exit Setup > Yes.

  • Delete All Secure Boot keys
    To delete all of the installed Secure Boot keys, including the default ones that were installed with Windows, select Yes. When you’re finished, select Exit Setup > Yes.

  • Install Default Secure Boot Keys
    To reinstall all of the Secure Boot keys that were originally installed with Windows (and only those), select Yes. When you’re finished, select Exit Setup > Yes.

Surface Pro 3

  • Trusted Platform Module (TPM)
    The currently configured state of TPM (Enabled or Disabled) is highlighted. To change the state, select the other one. When you’re finished, select Exit Setup > Yes.

  • Secure Boot Control
    Select Secure Boot Control to enable or disable this feature. When Secure Boot Control is enabled, you have two additional options:

    • If Secure Boot keys are installed, you can delete them by selecting Delete All Secure Boot Keys.
    • If Secure Boot keys aren't installed, you can select Install All Factory Default Keys and select either Windows & 3rd-party UEFI CA (Default) or Windows only.
  • Configure Alternate System Boot Order
    To choose the order in which your Surface boots, select Configure Alternate System Boot Order and select one of the following options:

    • SSD only
    • Network -> USB -> SSD
    • USB -> Network -> SSD
    • USB -> SSD
    • Network -> SSD
  • Advanced Device Security
    This option lets you disable ports and features you don’t want anyone to use. For example, you can disable the microSD card reader so no one can use a microSD card to copy data.

    The current setting appears in bold. Select Advanced Device Security and select the option you want:

    • Network Boot
    • Side USB
    • Docking Port
    • Front Camera
    • Rear Camera
    • OnBoard Audio
    • microSD
    • WiFi
    • Bluetooth
  • Device Information
    This option displays your Surface’s universally unique identifier (UUID) and serial number.

  • Administrator Password
    This option lets you create a password to prevent others from changing the UEFI settings. Organizations that need to protect sensitive information typically use an administrator password.
  • Exit Setup

    • Save and exit. To save your changes and exit, select Exit Setup > Yes.
    • Exit without saving. To exit without saving your changes when you’re using a Surface Typing Cover, press Esc and select Yes. If you aren’t using a Cover, press the power button.

Surface 3

  • Trusted Platform Module (TPM)
    The currently configured state of TPM (Enabled or Disabled) is highlighted. To change the state, select the other one. When you’re finished, select Exit Setup.
  • Secure Boot Control
    Select Secure Boot Control to enable or disable this feature. While Secure Boot Control is enabled, you have the following additional option:
    • If Secure Boot keys are installed, you can delete them by selecting Delete All Secure Boot Keys.
  • Configure Alternate System Boot Order
    To select the order in which your Surface boots, select Configure Alternate System Boot Order and select one of the following options:
    • SSD Only
    • Network -> USB -> SSD
    • USB -> Network -> SSD
    • USB -> SSD
    • Network -> SSD
  • Administrator Password

    This option lets you create a password to prevent others from changing the UEFI settings. Organizations that need to protect sensitive information typically use an administrator password.

  • Exit Setup
    • Save and exit. To save your changes and exit, select Exit Setup > Yes.
    • Exit without saving. To exit without saving your changes when you’re using a Surface Typing Cover, press Esc and select Yes.