During the past weeks I spend a bit of time deploying Windows 8 to UEFI enabled clients. With PowerShell 3.0 on Windows 8 you will find some new cmdlets that provide information about the status of your system’s BIOS/UEFI/Secure boot configuration.
The below table shows the return values depending on whether the system’s firmware is using BIOS, UEFI and if Secure boot is enabled or not.
**BIOS / UEFI Setup**
BIOS
UEFI with CSM
UEFI native
Secure boot enabled
UEFI native
Secure boot
disabled
**PowerShell Command**
Result
Confirm-SecureBootUEFI
Cmdlet not supported on this platform
False
True
False
Get-SecureBootUEFI –Name SetupMode
Cmdlet not supported on this platform
1
0
1
Get-SecureBootUEFI –Name SecureBoot
Cmdlet not supported on this platform
0
1
0
Executing any of these cmdlets on a Windows 8 system that uses BIOS generates an error.
The return value of the SetupMode variable tells us if the system is operating in Setup mode or in UserMode meaning that the platform key is enrolled. (For more details read the Firmware/OS Key Exchange: creating trust relationships chapter within the UEFI Specification that can be found here)
The return value of the SecureBoot variable tells us if the platform firmware is operating in secure boot mode. If the return value is 1 then SecureBoot is enabled meaning that the firmware performs driver and boot application signature verification. If the value is 0 then secure boot is not enabled.
Additional Information:
Secure Boot Cmdlets in Windows PowerShell
Protecting the pre-OS environment with UEFI