BIOS vs UEFI — Key Differences
| Property | Legacy BIOS | UEFI |
|---|---|---|
| Full name | Basic Input/Output System | Unified Extensible Firmware Interface |
| Age / status | 1970s–2000s; now legacy | Current standard on all modern PCs |
| Processor mode | 16-bit real mode | 32-bit or 64-bit protected mode |
| Interface | Text-only, keyboard navigation | Graphical, mouse support available |
| Partition table | MBR (Master Boot Record) | GPT (GUID Partition Table) — also supports MBR |
| Max drive size | 2 TB (MBR limit) | 9.4 ZB (GPT limit — effectively unlimited) |
| Max primary partitions | 4 (MBR) | 128 (GPT) |
| Secure Boot | Not supported | Supported (required for Windows 11) |
| Boot speed | Slower initialisation | Faster — can use fast boot to skip POST |
| Network boot | PXE boot support | HTTP boot + PXE boot |
| Storage location | ROM / Flash chip on motherboard | Flash chip on motherboard (NVRAM) |
The 2 TB hard drive limit was the primary driver. MBR (Master Boot Record) uses 32-bit sector addressing, which caps out at 2 TB. When consumer hard drives exceeded 2 TB, a new standard was needed. GPT (GUID Partition Table), used by UEFI, uses 64-bit addressing and supports drives up to 9.4 ZB. UEFI also added Secure Boot and faster initialisation as significant improvements over BIOS.
POST — Power-On Self-Test
Every time a computer is powered on, the BIOS/UEFI runs POST before anything else. POST is a diagnostic sequence that checks that essential hardware is present and functioning. If POST passes, the system beeps once (on systems with a speaker) and proceeds to load the bootloader. If POST fails, the system halts and signals the error via beep codes or on-screen error messages.
The exact beep code meanings vary by BIOS manufacturer (AMI, Award, Phoenix), but the A+ exam tests the general concept rather than memorising specific codes. 1 short beep = POST passed successfully. Multiple beeps or continuous beeping = hardware failure. The number and pattern of beeps identify which component failed. If there is no beep at all and nothing displays, suspect the CPU, RAM, or power supply.
Boot Order (Boot Priority)
The boot order (also called boot priority or boot sequence) tells the BIOS/UEFI which devices to check for a bootable OS, and in what order. When POST completes, the firmware tries each device in the configured sequence and loads the OS from the first bootable one it finds.
Common boot order entries include: USB flash drive, DVD/optical drive, hard drive (HDD or SSD), network PXE boot, and SD card. A typical default boot order puts the hard drive first, so the installed OS loads normally. When you need to boot from a USB installer or recovery drive, you temporarily change the boot order to put USB first — or use a one-time boot menu (usually F11 or F12 at startup) to select the device without permanently changing the order.
The key to press during POST to enter BIOS/UEFI settings varies by manufacturer — but the A+ exam may test this. Common keys: Del or F2 (most common — Dell, ASUS, Lenovo), F10 (HP), F1 (IBM/Lenovo ThinkPad), Esc (some HP systems). The key is usually displayed briefly on screen during POST. On systems with fast boot enabled, you may need to hold the key or access UEFI settings from within Windows (Settings → Recovery → Advanced startup → UEFI Firmware Settings).
Secure Boot
Secure Boot is a UEFI security feature that prevents the computer from loading unauthorised bootloaders and early-startup drivers. When Secure Boot is enabled, the UEFI firmware checks the digital signature of each boot component — bootloader, kernel modules, UEFI drivers — against a database of trusted signatures (the db database) and a blocklist of known-bad signatures (the dbx database).
If the signature is trusted, the component loads. If the signature is missing or doesn't match a trusted key, the firmware refuses to load it and displays a Secure Boot violation error. This prevents bootkits — malware that loads before the OS and is invisible to antivirus software running inside the OS.
Windows 11 requires Secure Boot to be enabled. Most Linux distributions also support Secure Boot via Microsoft-signed shim bootloaders. When dual-booting or installing a custom OS, you may need to enrol additional trusted keys or temporarily disable Secure Boot — though disabling it reduces security.
Secure Boot = verifies the bootloader and early OS components haven't been tampered with. Enforced by UEFI firmware. Prevents bootkits.
TPM (Trusted Platform Module) = a hardware chip that stores cryptographic keys, certificates, and measurements of the boot state. Used by BitLocker to seal encryption keys and detect boot tampering. Both Secure Boot and TPM 2.0 are required for Windows 11.
They work together: Secure Boot ensures only trusted boot code runs; TPM records and seals measurements of the trusted boot state. If the boot chain changes (e.g., malware modifies the bootloader), TPM detects the change and BitLocker prompts for recovery key.
CMOS and the CMOS Battery
CMOS (Complementary Metal-Oxide Semiconductor) is a small amount of memory on the motherboard that stores BIOS/UEFI settings — including the system date and time, boot order, and hardware configuration. Unlike regular RAM, CMOS is powered by a small lithium coin cell battery (usually a CR2032) so that settings are preserved when the computer is unplugged.
When the CMOS battery dies, the system loses its BIOS settings every time it is powered off. Common symptoms include: the system date and time resetting to a default (January 1, 2000 or similar), incorrect boot order on every startup, or a BIOS/CMOS checksum error message during POST. Replacing the CR2032 battery (a $1–2 part) resolves this.
Clearing CMOS resets BIOS settings to factory defaults. This is used to recover from a forgotten BIOS password, fix a misconfigured BIOS that prevents booting, or recover from a failed BIOS flash. Most motherboards have a dedicated CMOS reset jumper; alternatively, removing the CMOS battery for 30 seconds with the system unplugged clears the settings.
Other Key BIOS/UEFI Settings
Exam Scenarios
UEFI vs BIOS — Practical Exam Implications
For A+ candidates, the distinction between legacy BIOS and UEFI affects several practical decisions that appear in exam scenarios and in real-world field work.
Drive partition scheme: legacy BIOS systems use MBR (Master Boot Record) partitioning; UEFI systems use GPT (GUID Partition Table). MBR limits drives to 2 TB maximum and allows a maximum of 4 primary partitions. GPT supports drives up to 9.4 ZB (effectively unlimited) and allows up to 128 primary partitions. If you're installing Windows on a drive larger than 2 TB, GPT is required — which means UEFI mode must be used. If you're installing Windows 11, GPT + UEFI + Secure Boot + TPM 2.0 are all mandatory. For exam scenarios: if a technician reports that a new 4 TB drive is only showing 2 TB capacity, the likely cause is MBR partitioning — convert to GPT and use UEFI mode to access the full capacity.
Boot modes: most modern systems support both UEFI native mode and UEFI with CSM (Compatibility Support Module) enabled. CSM provides legacy BIOS emulation, allowing older operating systems and bootloaders to work on UEFI hardware. When CSM is enabled, the system can boot MBR disks; when CSM is disabled (pure UEFI mode), only GPT disks with UEFI bootloaders are supported. Windows 11 requires CSM to be disabled. If a technician installs a UEFI-capable OS but the system won't boot, checking whether the drive was formatted as MBR instead of GPT is a common diagnostic step.
Secure Boot compatibility: some older operating systems (Windows 7, older Linux distributions without UEFI Secure Boot support) are incompatible with Secure Boot. Disabling Secure Boot in BIOS allows these older systems to boot. Linux distributions that use a Microsoft-signed shim bootloader (Ubuntu, Fedora, RHEL) support Secure Boot on UEFI systems. For exam scenarios: if a customer wants to dual-boot Linux alongside Windows and the Linux installer fails to boot, a common cause is Secure Boot preventing the Linux bootloader from loading — the solution is either disabling Secure Boot or using a distribution with Secure Boot support.
TPM — Trusted Platform Module
The TPM (Trusted Platform Module) is a dedicated security chip (or firmware-based implementation) that is configured and managed through BIOS/UEFI. TPM has become critical to understand for A+ candidates because it is a mandatory requirement for Windows 11, and because it underpins several important security features.
At its core, a TPM is a cryptographic coprocessor that can generate, store, and use cryptographic keys without exposing the private key material to the main CPU or operating system. The key material never leaves the TPM chip — cryptographic operations are performed inside the secure boundary of the chip. This means that even if an attacker compromises the operating system, they cannot extract the TPM-protected keys.
The most important consumer-facing application of TPM is BitLocker disk encryption on Windows. BitLocker uses the TPM to bind the disk encryption key to the specific hardware configuration of the computer. When the system boots, the TPM verifies that the hardware hasn't changed (boot loader, firmware, hardware components match expected measurements — called "PCR values"). If verification passes, the TPM releases the disk encryption key and Windows boots normally without requiring the user to enter a decryption password. If someone moves the hard drive to a different computer or tries to boot from external media to bypass Windows security, the hardware measurements don't match — the TPM refuses to release the key, and the drive remains encrypted and unreadable.
For A+ exam scenarios: TPM is required for BitLocker without a startup PIN, required for Windows 11 installation, and is enabled/disabled in BIOS/UEFI settings. If a question asks why BitLocker prompts for a recovery key when a PC's motherboard was replaced, the answer is that changing the motherboard changes the TPM chip (or its stored measurements), causing the BitLocker protection to lock until the recovery key is entered.
BIOS/UEFI Security Settings
Several BIOS/UEFI settings have direct security implications and are tested on both A+ and Security+ in different contexts.
Supervisor/Administrator Password (BIOS password): a password required to access and modify BIOS settings. Without this, anyone with physical access to the machine can change boot order, disable Secure Boot, or enable insecure interfaces. Setting a BIOS password is a basic physical security control. It can be reset by removing the CMOS battery (on desktop systems) or by a BIOS reset jumper — meaning it protects against casual tampering but not determined physical attackers.
User Password: a separate password that prevents the system from booting without entering a password. This is distinct from the OS login — it prevents boot even before the OS loads. Combined with full-disk encryption (BitLocker/FileVault), this provides strong protection for stolen laptops.
Chassis intrusion detection: some motherboards have a header for a physical sensor on the case that detects if the case has been opened. When triggered, BIOS records the intrusion event and can alert on next boot. This is a physical security control that logs unauthorized case access — relevant for server environments and high-security workstations.
Disabling unused ports and interfaces: BIOS/UEFI can disable USB ports, Thunderbolt, FireWire, Wi-Fi, and Bluetooth at the firmware level. This prevents unauthorized peripherals from being connected even if the OS's device management policies are bypassed. In high-security environments (government, financial trading floors), disabling USB ports in BIOS is a common data exfiltration prevention control — more effective than OS-level USB restrictions because it cannot be bypassed by booting from external media.
UEFI Firmware Attacks
UEFI firmware attacks are an advanced threat category covered on Security+ and represent one of the most persistent and difficult-to-detect malware types. Because firmware runs before the operating system, malware embedded in UEFI firmware survives OS reinstallation, hard drive replacement, and most incident response procedures.
UEFI bootkits are malware that infects the UEFI firmware itself or the EFI System Partition (ESP). Once installed, the bootkit executes at every boot before the OS loads, making it effectively invisible to OS-level security tools. Notable examples include LoJax (2018, APT28/Fancy Bear) — the first publicly documented UEFI rootkit used in real attacks. Secure Boot is a primary defense because it verifies that only signed, trusted code executes in the boot chain — including UEFI drivers and the bootloader.
Defenses against UEFI attacks include enabling Secure Boot, enabling UEFI firmware write protection, keeping firmware updated through vendor channels, and using TPM-based attestation (which measures the firmware state and reports if it has changed). Enterprise systems can use tools like Microsoft's Secured-Core PC requirements, which mandate hardware-based protections specifically designed to defend against firmware attacks.
Studying for CompTIA A+?
Check out the full A+ study guide and best resources for the 220-1101 and 220-1202 exams.