This protects you against rootkits, but it has its downsides. Linux fans have complained that Secure Boot is an obstacle to those who want to install a fresh operating system, rather than using the preinstalled Windows OS. Most recent PCs will let you disable Secure Boot, or register a third party boot loader as safe, but this isn’t guaranteed. Microsoft’s guidelines for
laptops and desktops sold with Windows 10 stipulate that Secure Boot must be turned on by default, and it’s up to the manufacturer whether or not to let you customise its settings.
The good news is that even if Secure Boot is mandatory on your PC, you can still install Ubuntu, which uses a Microsoft-signed boot loader and should therefore work on any Windows 10 device. If your previously working PC throws up a Secure Boot violation and refuses to start,the first thing to check is, as usual, whether it’s trying to boot from the wrong device. If that doesn’t solve the problem, something may have modified your boot sector. Your first action should be to boot into a clean environment and check your hard disk for malware. There are plenty of free bootable USB images that can help here, includingAvira Rescue System(http://tinyurl.com/nqwf8uq), Bitdefender Rescue CD (http://tinyurl.com/p79qjsv) and Kaspersky Rescue Disk 10 (http://tinyurl.com/p3uv9g2)
THE BOOT MANAGER
So, the BIOS executes the boot sector, which in turn launches Windows, right? Not quite.
There’s one more step in the process: what the boot sector launches isn’t Windows itself, but another small program called the boot manager. The sole job of this program is to ensure that the correct Windows installation is launched with the correct parameters: if you’ve set up a multiboot system, the boot manager can present a menu from which you can choose which OS to launch. In Windows NT, XP and 2000, the boot manager role was handled by a program called NTLDR, which received its OS information from a plain text file called boot.ini. By default, both were hidden files that lived in the root directory of your C: drive.
If you wanted to check your boot configuration, or edit it to add extra options, you could simply edit boot.ini in Notepad (after tweaking its attributes to make it visible and editable). In Windows Vista and later, things are more complex. Now the information about where Windows is installed is kept in a binary file called the BCD store – short for Boot Configuration Data. It contains the same basic data as boot.ini, but if you want to view and edit its contents, you’ll need to use a special tool called BCDEdit.
You can see what your BCD store contains right now by opening a command prompt as an administrator – that bit’s important, as ordinary users aren’t allowed to access the BCD store – and entering “bcdedit” at the prompt. What you’ll probably see is a set of information about the Windows Boot Manager, including where it’s located and what language it’s localised for, followed by information about the boot loader – the code that actually, at last, loads Windows.
THE SYSTEM RESERVED PARTITION
Unlike the old boot.ini file, the boot manager files for recent versions of Windows aren’t normally located on your C: drive. The Windows installation process automatically creates a small “System Reserved” partition for them. This partition is also where the BitLocker encryption host lives, which is what makes it possible to start Windows when your entire system drive is encrypted. The System Reserved partition isn’t normally visible within Windows, since it doesn’t have a drive letter, but you can easily examine it by opening the Disk Management console, right-clicking on the “System Reserved” partition, selecting “Change Drive Letter and Paths…” and giving it a letter.
You can then open it in This PC and click around to see how it’s laid out. (To see everything, you’ll need to configure Windows Explorer to show hidden files and protected system files.) If you’re setting up a new PC and don’t want this extra partition hanging around, it’s possible to install Windows 10 in such away that the boot manager resides on your C: drive. You simply have to set up your target disk, prior to the installation, with a single partition that occupies its entire capacity, so that there’s no space for a separate boot partition. There isn’t much benefit to this, though – the System Reserved partition is only 350MB in size in recent editions of Windows (and a mere 100MB in Windows 7), and you’ll lose the ability to run BitLocker.
FINISHING THE BOOT PROCESS
If everything is configured as it should be, the boot manager should immediately hand over to the Windows boot loader – a file called winload.exe that normally lives in C:\Windows\System32. If this can’t be accessed, your computer may crash at this point, showing the error message “INACCESSIBLE_BOOT_DEVICE”. This could happen if you’ve repartitioned the disk since the BCD was set up, or if you’ve added or removed a hard disk. The easiest solution is to try connecting your disks in a different order (for example, try switching SATA ports) to see if you can recreate your original configuration.
If you don’t see that message, it’s likely that the Windows initialisation procedure has started successfully. Any error messages that pop up after this point aren’t strictly problems with the boot process, but rather to do with the configuration of the operating system itself. That doesn’t make them any less problematic, of course, but it gives you a clue where to start troubleshooting. You can skip worrying about the BIOS or the MBR, and try – for example – booting from the installation media to access Safe Mode or use Startup Repair.