This article explains why Secure Boot cannot be enabled using remote software tools on Elo systems such as: EloPOS, I-Series, E-Series, ECMG4, and Backpack with Intel systems.
What is Secure Boot?
Secure Boot is a UEFI firmware security feature that ensures only trusted, digitally signed operating systems and bootloaders are allowed to run during system startup. It is designed to prevent unauthorized or malicious code from executing before the operating system loads.
⚠️ Important: Secure Boot Cannot Be Enabled via Remote Software Tools
Secure Boot cannot be enabled using operating system tools, scripts, or standard remote management methods such as RDP or SSH.
On Elo Intel systems, Secure Boot is controlled at the firmware (BIOS/UEFI) level and is protected by design. This prevents unauthorized changes from within the operating system.
Even Elo BIOS configuration utilities and firmware update tools do not support enabling Secure Boot remotely:
- BIOS Configuration Tools (e.g., SCE utilities): Can modify many BIOS settings, but do not support Secure Boot configuration
- Firmware Update Tools (e.g., AMI AFU): Used to update BIOS firmware, but do not control runtime Secure Boot settings
As a result, Secure Boot must be enabled directly within the BIOS interface.
✅ Supported Methods to Enable Secure Boot
1. Local Access (Recommended)
- Connect a keyboard to the device
- Reboot and enter BIOS (DEL key on keyboard or Setup icon during startup)
- Enable Secure Boot and install default keys
2. Remote KVM / Out-of-Band Access
- Use a remote management solution that provides full BIOS-level access (e.g., Intel AMT)
- Remotely enter BIOS during boot
- Enable Secure Boot and apply required settings
Remote enablement is only considered valid when you have full BIOS/KVM control. Standard remote tools are not sufficient.
🚫 Unsupported Methods
The following methods are not supported for enabling Secure Boot:
- Remote Desktop (RDP)
- SSH or command-line access
- PowerShell or shell scripts
- BIOS configuration utilities (SCE tools)
- Firmware update utilities (AFU tools)
Attempting to use these methods will not enable Secure Boot and may lead to inconsistent or unsupported configurations.
⚠️ Risks of Improper Enablement
Enabling Secure Boot without proper validation can cause the system to fail to boot and may require physical recovery.
- System may fail to boot if OS or bootloader is not properly signed
- Device may become unreachable if remote access depends on the OS
- Recovery may require on-site access to BIOS
✅ Best Practices Before Enabling Secure Boot
1. Verify System Compatibility
- Operating system supports Secure Boot (Windows 10/11 or supported Linux)
- System is configured for UEFI boot mode
- Disk is formatted as GPT (not MBR)
2. Validate Boot Integrity
- No custom or unsigned bootloaders
- Standard OS installation recommended
3. Confirm Recovery Access
- Ensure local or remote BIOS access is available
- Have a recovery plan if the system fails to boot
4. Test Before Scaling
- Enable Secure Boot on a single device first
- Validate system behavior after reboot
Summary
- Secure Boot is a firmware-level security feature and cannot be enabled via OS-level tools
- BIOS configuration and firmware update utilities do not support enabling Secure Boot
- Secure Boot must be enabled directly in BIOS, either locally or via remote KVM
- Always validate system readiness before enabling to avoid boot failures
Need Help?
If you need assistance verifying compatibility or enabling Secure Boot, please contact Elo Technical Support:
Please report any broken links by emailing support@elotouch.com and include a link to the knowledge article