Surface Pro 3 Tip: Access the Firmware

Surface Pro 3 Tip: Access the Firmware

Rarely needed, but good to know about

While you probably won't need to do this very often, it's a good idea to understand how you can access the firmware on all of your PCs. And this is a bit non-obvious with Surface Pro 3, which provides a unique access method that can work without having an attached keyboard or a properly running version of Windows.

In the good old days, a PC's firmware was called BIOS, or Basic Input/Output System, a system that dates back over 40 years. With Surface Pro 3, and with other modern PCs and PC-based devices, the firmware is called UEFI, or Unified Extensible Firmware Interface, and is more sophisticated than its predecessor. But the firmware's role is still the same: This is the onboard software that loads before the PC boots into whatever operating system is installed. And it provides basic services such as testing the installed hardware, providing an abstraction interface for that hardware, and of course bootstrapping the OS.

On a traditional PC, you'll often see a boot message of some kind that indicates a key you can press to access the firmware interface. But Surface is an appliance-like device, not a PC, and is by design simple and unthreatening. So the only thing you see at boot time, and then only briefly, is a Surface logo.

But Surface Pro 3 is still a PC. And as such it does provide a way to access its firmware interface. Two ways, in fact.

How to access the firmware

The first method requires you to first shut down Surface Pro 3. (Settings, Power, Shut down.) Then, press and hold both the hardware Volume Up button on the left side of the device and press the Power button (on the top). Then, release the Volume Up button. Surface Pro 3 will power up, the Surface logo will appear briefly, and then the firmware interface appears.

Or, from within Windows, you can launch PC Settings (Settings, Change PC Settings) and then navigate to Update and Recovery, then Recovery. Then, tap the Restart button under Advanced Startup, and when the system reboots into the Recovery environment, choose Troubleshoot, Advanced Options, and then UEFI Firmware Settings. Then, tap Restart.

Using the firmware interface

As you can see, there aren't that many options. These include:

Trusted Platform Module (TPM). TPM is a hardware security feature that guarantees the integrity of the PC during both boot and runtime. Windows includes various features that integrate with this technology, including BitLocker disk encryption. It is enabled by default and should be left enabled. If you do disable TPM, Secure Boot Control will also be disables, as that feature requires TPM.

Secure Boot Control. Enabled by default, Secure Boot is a PC security technology that ensures that only trusted, properly signed software—like Windows 8.x—can boot on the device. (Windows then continues the secure boot process by authenticating AV software, drivers, and the like during its own startup.) Typically, you will simply leave this option as-is, of course. But you will need to disable Secure Boot Control if you wish to install a non-Windows OS like Linux on the device.

Delete All Secure Boot Keys. If you select this option and then Yes, Secure Boot will be changed from the usual User mode to Setup mode. In this mode, Secure Boot is disabled and the option changes to Install All Factory Default Keys. Select that and then choose between "Windows & 3rd party UEFI CA [certificate authorities] (Default)" and "Windows only." As noted, the former option is the default choice.

Configure External Ports. If you choose this option, you'll be presented with a pop-up menu with the following choices: All ports enabled (the default), Enable USB & microSD/Disable Docking Port, Enable Docking Port/Disable USB & microSD, and All ports disabled.

Device Information. If you choose this option, you'll be presented with a pop-up that displays your Surface Pro 3's System UUID (universally unique identifier) and serial number, both of which are used to uniquely identify your device.

Administrator Password. You use this option to specify a password (using a strange little onscreen keyboard) for the firmware. If enabled, this password must be entered before you can access the firmware interface again. To remove the password, choose this option, leave the "Create New Password" field blank, and then tap the onscreen ENT key.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.