Sign in with Microsoft
Sign in or create an account.
Hello,
Select a different account.
You have multiple accounts
Choose the account you want to sign in with.

Note: Some products might not be available in your country or region.

Use the latest firmware interface, the Unified Extensible Firmware Interface (UEFI).

UEFI offers new features including faster startup and improved security. It replaces BIOS (basic input/output system).

More recent Surface devices use a new UEFI called Surface UEFI. For more info, including info about which specific devices use it, see How to use Surface UEFI.

For Surface Pro, Surface Pro 2, Surface Pro 3, and Surface 3

Important: Under normal circumstances, there’s no need for you to change UEFI settings. If you change these settings, you risk the security of your Surface. But if you ever need access to the firmware features of your Surface, here's the basic info:

What firmware features can I use?

You can access the following firmware features on any Surface Pro model or Surface 3:

  • Secure Boot Control. Secure Boot technology blocks the loading of uncertified bootloaders and drives.

  • Trusted Platform Module (TPM). TPM technology provides a major advancement over BIOS in hardware-based security features.

How do I get to the UEFI settings?

Video: Get to UEFI settings on a Surface

Your browser does not support video. Install Microsoft Silverlight, Adobe Flash Player, or Internet Explorer 9.

Note: This video is available in English only.

The UEFI settings can be adjusted only during system startup. To load the UEFI firmware settings menu:

  1. Shut down your Surface.

  2. Press and hold the volume-up button on your Surface and at the same time, press and release the power button.

  3. When you see the Surface logo, release the volume-up button.
    The UEFI menu will display within a few seconds.

UEFI menu options

Which UEFI settings you can modify depends on which Surface model you have.

Surface Pro or Surface Pro 2

  • Trusted Platform Module (TPM)
    The currently configured state of TPM (Enabled or Disabled) is highlighted. To change the state, select the other one. When you’re finished, select Exit Setup > Yes.

  • Secure Boot Control
    The currently configured state of Secure Boot (Enabled or Disabled) is highlighted. To change the state, select the other one. When you’re finished, select Exit Setup > Yes.

  • Delete All Secure Boot keys
    To delete all of the installed Secure Boot keys, including the default ones that were installed with Windows, select Yes. When you’re finished, select Exit Setup > Yes.

    Note: When Secure Boot keys are deleted, Windows displays a red screen during startup.

  • Install Default Secure Boot Keys
    To reinstall all of the Secure Boot keys that were originally installed with Windows (and only those), select Yes. When you’re finished, select Exit Setup > Yes.

Surface Pro 3

Note: If you enter the administrator password incorrectly three times, you’ll be locked out of the UEFI. Restart your Surface to enter the password again.

  • Trusted Platform Module (TPM)
    The currently configured state of TPM (Enabled or Disabled) is highlighted. To change the state, select the other one. When you’re finished, select Exit Setup > Yes.

  • Secure Boot Control
    Select Secure Boot Control to enable or disable this feature. When Secure Boot Control is enabled, you have two additional options:

    • If Secure Boot keys are installed, you can delete them by selecting Delete All Secure Boot Keys.

    • If Secure Boot keys aren't installed, you can select Install All Factory Default Keys and select either Windows & 3rd-party UEFI CA (Default) or Windows only.

  • Configure Alternate System Boot Order
    To choose the order in which your Surface boots, select Configure Alternate System Boot Order and select one of the following options:

    • SSD only

    • Network > USB > SSD

    • USB > Network > SSD

    • USB > SSD

    • Network > SSD

  • Advanced Device Security
    This option lets you disable ports and features you don’t want anyone to use. For example, you can disable the microSD card reader so no one can use a microSD card to copy data.

    The current setting appears in bold. Select Advanced Device Security and select the option you want:

    Note: Selecting Side USB disables the ability to boot from a USB device. The USB port remains enabled in Windows.

    Note: Disabling Wi-Fi also disables the Bluetooth®.

    • Network Boot

    • Side USB

    • Docking Port

    • Front Camera

    • Rear Camera

    • OnBoard Audio

    • microSD

    • WiFi

    • Bluetooth

  • Device Information
    This option displays your Surface’s universally unique identifier (UUID) and serial number.

  • Administrator Password
    This option lets you create a password to prevent others from changing the UEFI settings. Organizations that need to protect sensitive information typically use an administrator password.

  • Exit Setup

    • Save and exit. To save your changes and exit, select Exit Setup > Yes.

    • Exit without saving. To exit without saving your changes when you’re using a Surface Typing Cover, press Esc and select Yes. If you aren’t using a Cover, press the power button.

Surface 3

  • Trusted Platform Module (TPM)
    The currently configured state of TPM (Enabled or Disabled) is highlighted. To change the state, select the other one. When you’re finished, select Exit Setup.

  • Secure Boot Control
    Select Secure Boot Control to enable or disable this feature. While Secure Boot Control is enabled, you have the following additional option:

    • If Secure Boot keys are installed, you can delete them by selecting Delete All Secure Boot Keys.

  • Configure Alternate System Boot Order
    To select the order in which your Surface boots, select Configure Alternate System Boot Order and select one of the following options:

    • SSD Only

    • Network > USB > SSD

    • USB > Network > SSD

    • USB > SSD

    • Network > SSD

  • Administrator Password

    This option lets you create a password to prevent others from changing the UEFI settings. Organizations that need to protect sensitive information typically use an administrator password.

  • Exit Setup

    • Save and exit. To save your changes and exit, select Exit Setup > Yes.

    • Exit without saving. To exit without saving your changes when you’re using a Surface Typing Cover, press Esc and select Yes.

Related topics

Facebook LinkedIn Email
SUBSCRIBE RSS FEEDS

Need more help?

Want more options?

Discover Community Contact Us

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Ask the Microsoft Community

Microsoft Tech Community

Windows Insiders

Microsoft 365 Insiders

Find solutions to common problems or get help from a support agent.

Online support

Was this information helpful?

What affected your experience?
By pressing submit, your feedback will be used to improve Microsoft products and services. Your IT admin will be able to collect this data. Privacy Statement.

Thank you for your feedback!

×