Applies to

Surface Pro, Surface Pro 2, Surface Pro 3, Surface 3.

Applies to

Surface Pro, Surface Pro 2, Surface Pro 3, Surface 3.

Operating system:

How do I use the BIOS/UEFI?

Surface Pro models and Surface 3 use the latest firmware interface, called the Unified Extensible Firmware Interface (UEFI).


UEFI offers new features including faster startup and improved security. It replaces BIOS (basic input/output system).

Important
Under normal circumstances, there’s no need for you to change UEFI settings. If you change these settings, you risk the security of your Surface. But if you ever need access to Surface firmware features, here's the basic info:

What firmware features can I use?

You can access the following firmware features on any Surface Pro model or Surface 3:

  • Secure Boot Control. Secure Boot technology blocks the loading of uncertified bootloaders and drives.

  • Trusted Platform Module (TPM). TPM technology provides a major advancement over BIOS in hardware-based security features.

How do I get to the UEFI settings?

The UEFI settings can be adjusted only during system startup. To load the UEFI firmware settings menu:

Step 1:Shut down your Surface.
Step 2:Press and hold the volume-up button on your Surface, and at the same time, press and release the power button.
Step 3:When you see the Surface logo, release the volume-up button.
The UEFI menu will display within a few seconds.

UEFI menu options

Which UEFI settings you can modify depends on which Surface model you have.

Surface Pro or Surface Pro 2

  • Trusted Platform Module (TPM)
    The currently configured state of TPM (Enabled or Disabled) is highlighted. To change the state, select the other one. When you’re finished, select Exit Setup > Yes.

  • Secure Boot Control
    The currently configured state of Secure Boot (Enabled or Disabled) is highlighted. To change the state, select the other one. When you’re finished, select Exit Setup > Yes.

  • Delete All Secure Boot keys
    To delete all of the installed Secure Boot keys (including the default ones that were installed with Windows), select Yes. When you’re finished, select Exit Setup > Yes.

    Note
    When Secure Boot keys are deleted, Windows displays a red screen during startup.
  • Install Default Secure Boot Keys
    To reinstall all of the Secure Boot keys that were originally installed with Windows (and only those), select Yes. When you’re finished, select Exit Setup > Yes.

Surface Pro 3

  • Trusted Platform Module (TPM)
    The currently configured state of TPM (Enabled or Disabled) is highlighted. To change the state, select the other one. When you’re finished, select Exit Setup > Yes.

  • Secure Boot Control
    Select Secure Boot Control to enable or disable this feature. When Secure Boot Control is enabled, you have two additional options:

    • If Secure Boot keys are installed, you can delete them by selecting Delete All Secure Boot Keys.
    • If Secure Boot keys aren't installed, you can select Install All Factory Default Keys and select either Windows & 3rd-party UEFI CA (Default) or Windows only.

  • Configure Alternate System Boot Order
    To choose the order in which your Surface boots, select Configure Alternate System Boot Order, and select one of the following options:

    • SSD only
    • Network -> USB -> SSD
    • USB -> Network -> SSD
    • USB -> SSD
    • Network -> SSD

  • Advanced Device Security
    This allows you to disable ports and features you don’t want anyone to use. For example, you can disable the microSD reader so no one can use a microSD card to copy data. It will be as though the reader doesn’t exist, which means that if you disable the microSD reader, you won’t be able to use microSD cards.

    The current setting appears in bold. Select Advanced Device Security, and select the option you want:

    • Network Boot
    • Side USB
    • Note

      Selecting Side USB disables the ability to boot from a USB device. The USB port remains enabled in Windows.

    • Docking Port
    • Front Camera
    • Rear Camera
    • OnBoard Audio
    • microSD
    • WiFi
      Note

      Disabling Wi-Fi disables the Bluetooth® option.

    • Bluetooth

  • Device Information
    This allows you to view the system’s universally unique identifier (UUID) and serial number.

  • Administrator Password
    Administrators can create a password to prevent others from changing the UEFI settings.
    This is typically done in organizations that need to protect sensitive information.
  • Note

    If you enter the UEFI administrator password incorrectly, you’ll be locked out after three tries. Restart your Surface to get another three tries.

    Important
    If you set a password for the UEFI, record it in a safe place. If you forget the password, you won’t be able to access the UEFI settings. The only way to reset this password is from within UEFI.
  • Exit Setup

    • Save and exit. To save your changes and exit, select Exit Setup > Yes.
    • Exit without saving. To exit without saving your changes when you’re using a Surface Typing Cover, press Esc, and select Yes. If you aren’t using a Cover, press the power button.

Surface 3

  • Trusted Platform Module (TPM)
    The currently configured state of TPM (Enabled or Disabled) is highlighted. To change the state, select the other one. When you’re finished, select Exit Setup.
  • Secure Boot Control
    Select Secure Boot Control to enable or disable this feature. While Secure Boot Control is enabled, you have the following additional option:
    • If Secure Boot keys are installed, you can delete them by selecting Delete All Secure Boot Keys.
  • Configure Alternate System Boot Order
    To select the order in which your Surface boots, select Configure Alternate System Boot Order, and select one of the following options:
    • SSD Only
    • Network -> USB -> SSD
    • USB -> Network -> SSD
    • USB -> SSD
    • Network -> SSD
  • Advanced Device Security
    This allows you to disable ports and features you don’t want anyone to use. For example, you can disable the microSD reader so no one can use a microSD card to copy data. It will be as though the reader doesn’t exist, which means that if you disable the microSD reader, you won’t be able to use microSD cards.

    The current setting appears in bold. Select Advanced Device Security, and select the option you want:

    • Network Boot
    • Side USB
    • Note

      Selecting Side USB disables the ability to boot from a USB device. The USB port remains enabled in Windows.

    • Docking Port
    • Front Camera
    • Rear Camera
    • OnBoard Audio
    • microSD
    • WiFi
      Note

      Disabling Wi-Fi disables the Bluetooth option.

    • Bluetooth

  • Device Information
    This allows you to view the system’s universally unique identifier (UUID) and serial number.

  • Administrator Password

    Administrators can create a password to prevent others from changing the UEFI settings.
    This is typically done in organizations that need to protect sensitive information.

  • Exit Setup
    • Save and exit. To save your changes and exit, select Exit Setup > Yes.
    • Exit without saving. To exit without saving your changes when you’re using a Surface Typing Cover, press Esc, and select Yes.

UEFI offers new features including faster startup and improved security, and replaces BIOS (basic input/output system).

Important
Under normal circumstances, there’s no need for you to change UEFI settings. If you change these settings, you risk the security of your Surface. But, if you ever need access to Surface firmware features, here's the basic info:

What firmware features can I use?

You can access the following firmware features on any Surface Pro model or Surface 3:

  • Secure Boot Control. Secure Boot technology blocks the loading of uncertified bootloaders and drives.

  • Trusted Platform Module (TPM). TPM technology provides a major advancement over BIOS in the area of hardware-based security features.

How do I get to the UEFI settings?

The UEFI settings can only be adjusted during system startup. To load the UEFI firmware settings menu:

Step 1:Shut down (power off) Surface.
Step 2:Press and hold the volume-up button on your Surface, and at the same time, press and release the power button on your Surface.
Step 3:When you see the Surface logo, release the volume-up button.
The UEFI menu will display within a few seconds.

UEFI menu options

Which UEFI settings you can modify depends on which Surface model you have.

Surface Pro or Surface Pro 2

  • Trusted Platform Module (TPM)
    The currently configured state of TPM (Enabled or Disabled) is highlighted. To change the state, tap the other one, then confirm on exit.

  • Secure Boot Control
    The currently configured state of Secure Boot (Enabled or Disabled) is highlighted. To change the state, tap the other one, then confirm on exit.

  • Delete All Secure Boot keys
    To delete all of the installed Secure Boot keys (including the default ones that were installed with Windows), tap Yes, then confirm on exit.

    Note
    When Secure Boot keys are deleted, Windows displays a red screen during startup.
  • Install Default Secure Boot Keys
    To reinstall all of the Secure Boot keys that were originally installed with Windows (and only those), tap Yes, then confirm on exit.

Surface Pro 3

  • Trusted Platform Module (TPM)
    The currently configured state of TPM (Enabled or Disabled) is highlighted. To change the state, tap the other one, then confirm on exit.

  • Secure Boot Control
    Tap Secure Boot Control to enable or disable this feature. While Secure Boot Control is enabled, you have the following additional options:

    • If Secure Boot keys are installed, you can delete them by tapping Delete All Secure Boot Keys.
    • If Secure Boot keys aren't installed, you can tap Install All Factory Default Keys and then tap either Windows & 3rd-party UEFI CA (Default) or Windows only.

  • Configure Alternate System Boot Order
    To select the order in which your Surface boots, tap Configure Alternate System Boot Order, and select one of the following options:

    • SSD only
    • Network -> USB -> SSD
    • USB -> Network -> SSD
    • USB -> SSD
    • Network -> SSD

  • Advanced Device Security
    This allows you to disable ports and features you don’t want anyone to use. For example, you can disable the microSD reader to ensure that no one can use a microSD card to copy data. It will be as though the reader doesn’t exist, which means that if you disable the microSD reader, you won’t be able to use microSD cards.

    The current setting appears in bold. Tap Advanced Device Security, and tap the option you want:

    • Network Boot
    • Side USB
    • Note

      Disables the ability to boot from a USB device. The USB port remains enabled in Windows.

    • Docking Port
    • Front Camera
    • Rear Camera
    • OnBoard Audio
    • microSD
    • WiFi

      (Disabling Wi-Fi disables the Bluetooth® option.)

    • Bluetooth

  • Device Information
    This allows you to view the system UUID and the serial number.

  • Administrator Password
    Administrators can create a password to prevent others from changing the UEFI settings.
    This is typically used in organizations that need to protect sensitive information.
  • Exit Setup

    • Save and exit. To save your changes and exit, tap or click Exit Setup, and tap or click Yes.
    • Exit without saving. To exit without saving your changes when you’re using a Surface Typing Cover, press Esc, and select Yes. If you aren’t using a Cover, press the power button.

Surface 3

  • Trusted Platform Module (TPM)
    The currently configured state of TPM (Enabled or Disabled) is highlighted. To change the state, tap the other one, then confirm on exit.
  • Secure Boot Control
    Tap Secure Boot Control to enable or disable this feature. While Secure Boot Control is enabled, you have the following additional options:
    • If Secure Boot keys are installed, you can delete them by tapping Delete All Secure Boot Keys.
  • Device Information
    This allows you to view the system UUID and the serial number.
  • Configure Alternate System Boot Order
    To select the order in which your Surface boots, tap Configure Alternate System Boot Order, and select one of the following options:
    • Network > USB > SSD
    • SSD Only
  • Administrator Password

    Administrators can create a password to prevent others from changing the UEFI settings.
    This is typically used in organizations that need to protect sensitive information.

  • Exit Setup
    • Save and exit. To save your changes and exit, tap or click Exit Setup, and tap or click Yes.
    • Exit without saving. To exit without saving your changes when you’re using a Surface Typing Cover, press Esc, and select Yes.
Important
If you set a password for the UEFI, record it in a safe place. If you forget the password you won’t be able to access the UEFI settings. The only way to reset this password is from withing UEFI.

Note
If you enter the UEFI administrator password incorrectly, you’ll be locked out after three tries. Restart Surface to get another three tries.