This chapter covers BIOS and UEFI settings, a core topic for the CompTIA A+ 220-1101 exam under Objective 3.1 (Hardware). You will learn the fundamental differences between legacy BIOS and modern UEFI firmware, how to navigate and configure firmware settings, and which specific settings are most likely to appear on the exam. Approximately 5-10% of the 220-1101 exam questions touch on firmware configuration, boot order, and security features like Secure Boot.
Jump to a section
Think of a computer as a massive cargo ship. The operating system is the captain and crew, navigating and managing cargo. But before the captain can even step aboard, the ship must have a functioning control room with basic systems: power distribution, engine startup, navigation lights, and a communication panel. That control room is the BIOS or UEFI. It's the first thing that powers on when the ship gets electricity. The control room's primary job is to perform a 'pre-departure checklist' — checking that all essential subsystems (engine, rudder, fuel pumps) are present and responsive. It then loads the captain's navigation chart (the bootloader) from a designated storage locker (the boot drive). In older ships (BIOS), the control room uses a simple, one-at-a-time, 16-bit instruction set to check each system, and it can only read charts from a small section of the locker (MBR). In modern ships (UEFI), the control room is far more sophisticated: it can run 32-bit or 64-bit instructions, has a graphical interface, can read charts from anywhere on the locker (GPT), and even has a small 'emergency navigation program' (UEFI shell) that can operate independently of the captain. The control room also stores configuration settings — like which locker to check first, engine timing (clock speed), and voltage levels — in a small, battery-backed notepad (CMOS). If the battery dies, the notepad resets to factory defaults, and the ship might not start correctly.
BIOS (Basic Input/Output System) and UEFI (Unified Extensible Firmware Interface) are firmware interfaces that initialize hardware and load the operating system. They are the first code executed when a computer powers on. BIOS has been around since the early 1980s, while UEFI is its modern replacement, introduced around 2005. The CompTIA A+ 220-1101 exam expects you to understand both, but UEFI is now standard on all modern systems.
Why the Transition from BIOS to UEFI?
BIOS has several limitations that UEFI addresses: - 16-bit mode: BIOS runs in real mode, limiting it to 1 MB of addressable space. UEFI runs in 32-bit or 64-bit protected mode. - MBR partitioning: BIOS uses Master Boot Record (MBR), which supports disks up to 2 TB and only 4 primary partitions. UEFI uses GUID Partition Table (GPT), which supports disks larger than 2 TB and up to 128 partitions. - Slow initialization: BIOS performs Power-On Self-Test (POST) sequentially. UEFI initializes multiple devices in parallel, resulting in faster boot times. - No built-in security: BIOS lacks Secure Boot. UEFI includes Secure Boot, which verifies the bootloader's digital signature to prevent malware. - Limited user interface: BIOS typically has a text-based interface. UEFI can support a graphical interface and mouse input.
How UEFI Boots: Step-by-Step Mechanism
Power-on: The CPU receives a reset signal and begins executing code at a fixed address in the firmware (typically the UEFI firmware ROM).
Security Phase (SEC): The CPU cache acts as RAM (Cache as RAM, or CAR) to set up a temporary stack. This phase validates the firmware integrity using a digital signature.
Pre-EFI Initialization (PEI): The firmware initializes the memory controller and discovers system memory (RAM). It also identifies the boot device.
Driver Execution Environment (DXE): The UEFI drivers for devices like storage controllers, network adapters, and graphics cards are loaded. The System Management BIOS (SMBIOS) tables are populated with hardware information.
Boot Device Selection (BDS): The firmware checks the boot order list (stored in NVRAM). For each device, it looks for an EFI System Partition (ESP) containing a bootloader (e.g., \EFI\BOOT\BOOTX64.EFI for x64 systems). The first valid bootloader is executed.
Runtime Phase: The bootloader loads the OS kernel. UEFI then transitions to runtime mode, where it provides runtime services (e.g., GetVariable, SetVariable, GetTime) to the OS via the UEFI Runtime Interface.
Key Components and Settings
#### Boot Order - Stored in NVRAM (non-volatile RAM). - Typical order: USB > CD/DVD > Internal HDD/SSD > Network (PXE). - Exam tip: If a system fails to boot after adding a new drive, check the boot order. If the system boots from the wrong device, rearrange the order.
#### Secure Boot - A UEFI feature that ensures only signed bootloaders and drivers are executed. - Requires UEFI firmware and a GPT disk. - Keys: Platform Key (PK), Key Exchange Key (KEK), and db/dbx databases (signature database and revoked signatures database). - Common exam scenario: Installing an unsigned OS (e.g., older Linux) fails on a UEFI system with Secure Boot enabled. Disable Secure Boot or enroll a custom key. - Default: Enabled on Windows 10/11 certified systems.
#### TPM (Trusted Platform Module) - A hardware security chip that stores cryptographic keys, passwords, and certificates. - Used by BitLocker Drive Encryption and Windows Hello. - In firmware settings, you can enable/disable TPM, clear TPM, or set TPM to be activated/deactivated. - Exam tip: If BitLocker asks for a recovery key after a hardware change, the TPM may need to be reset or initialized.
#### Virtualization Support - Intel VT-x (Virtualization Technology) or AMD-V (AMD Virtualization). - Must be enabled in firmware for hypervisors like Hyper-V, VMware Workstation, or VirtualBox to run 64-bit guest VMs. - Commonly found under a menu called "Advanced" or "CPU Configuration." - Exam tip: If a VM fails to start with an error about VT-x/AMD-V, check that the feature is enabled in BIOS/UEFI.
#### BIOS/UEFI Password - User Password: Required to boot the system. - Supervisor/Administrator Password: Required to enter the firmware settings. - If you forget the supervisor password, you may need to clear the CMOS (remove the battery or use a jumper) or contact the motherboard manufacturer. - Exam tip: A user password does NOT prevent access to firmware settings unless a supervisor password is also set.
#### Legacy Boot (CSM) - Compatibility Support Module (CSM) allows UEFI firmware to boot legacy BIOS-style operating systems (e.g., Windows 7) from MBR disks. - Disabling CSM forces UEFI-only boot, which is required for Secure Boot. - Exam tip: Some systems require CSM disabled to enable Secure Boot.
Configuration and Verification
To access firmware settings:
During POST, press a specific key: usually Del, F2, F10, F12, or Esc.
In Windows 10/11: Settings > Update & Security > Recovery > Advanced Startup > Restart Now > Troubleshoot > Advanced Options > UEFI Firmware Settings.
Common firmware menus: - Main: System information, date/time, language. - Advanced: CPU configuration, SATA configuration, USB configuration, virtualization. - Boot: Boot order, boot mode (UEFI/Legacy), Secure Boot, Fast Boot. - Security: Passwords, TPM configuration, Secure Boot key management. - Save & Exit: Save changes and exit, discard changes and exit, load optimized defaults.
Interaction with Related Technologies
GPT vs. MBR: UEFI requires GPT for booting. BIOS requires MBR. If you install Windows 10 on a GPT disk with BIOS, it will not boot. The firmware mode must match the partition style.
Fast Boot: A UEFI feature that skips some POST steps to boot faster. It can cause issues with USB devices not being detected during boot, preventing access to firmware settings from a cold start.
Network Boot (PXE): Both BIOS and UEFI support PXE, but UEFI uses a different network stack (UEFI Network Stack must be enabled).
Common Default Values
Boot order: Typically internal HDD/SSD first, then removable devices, then network.
Secure Boot: Enabled (on Windows 10/11 certified systems).
Fast Boot: Enabled.
Virtualization: Disabled (for security and compatibility).
TPM: Disabled (must be enabled for BitLocker).
CSM: Enabled (on systems that may need legacy boot).
Firmware Update (Flashing)
Firmware can be updated via a utility within the firmware itself (e.g., ASUS EZ Flash), from within the OS (e.g., Windows-based updater), or via a bootable USB.
Risk: If power is lost during a flash, the motherboard may become unbricked. Some modern motherboards have dual BIOS to recover.
Exam tip: Always back up current firmware settings before updating. Use a UPS to prevent power loss.
Troubleshooting Firmware Issues
System does not boot: Check boot order, ensure boot mode (UEFI/Legacy) matches the OS installation type.
"No bootable device" error: Verify the drive is detected in firmware, check SATA cable/connection, ensure partition style matches firmware mode.
CMOS checksum error: Indicates the CMOS battery is dead or the firmware settings are corrupted. Replace the battery (usually CR2032) or load default settings.
Overclocking failures: If the system fails to POST after overclocking, clear CMOS by removing the battery or using the CLR_CMOS jumper.
Secure Boot errors: If an error like "Secure Boot Violation" appears, disable Secure Boot or check that the bootloader is signed.
Exam-Specific Details
The A+ 220-1101 exam may ask you to identify the purpose of specific firmware settings like "Secure Boot," "TPM," "VT-x," and "Boot Sequence."
You may be given a scenario (e.g., a user wants to enable BitLocker) and asked which firmware setting must be enabled (TPM).
You may be asked to configure boot order to boot from a USB drive.
Understand the difference between a User password and a Supervisor password.
Know that clearing CMOS resets all firmware settings to defaults, including boot order and passwords (if no supervisor password is set).
Be aware that UEFI supports mouse input, while BIOS typically does not.
Know that Secure Boot requires UEFI and a GPT disk.
Understand that Fast Boot can prevent access to firmware settings via hotkeys because USB devices are not initialized quickly enough.
Entering the Firmware Setup
At system power-on, the firmware begins POST. During the initial phase, the system checks for a key press from the keyboard. Common keys are Del, F2, F10, F12, or Esc. The exact key is often displayed briefly on screen (e.g., 'Press DEL to enter Setup'). If the system boots too quickly (due to Fast Boot), you may need to use Windows' advanced startup options to access UEFI firmware settings: Settings > Update & Security > Recovery > Advanced Startup > Restart Now > Troubleshoot > Advanced Options > UEFI Firmware Settings. Once inside, you see a menu-driven interface, which may be text-based (legacy BIOS) or graphical (UEFI).
Navigating to Boot Settings
In the firmware interface, use arrow keys (or mouse if supported) to navigate to the Boot tab or menu. Common sections include Main, Advanced, Boot, Security, and Save & Exit. The Boot menu contains settings like Boot Mode (UEFI/Legacy), Boot Order, Secure Boot, Fast Boot, and CSM. Boot Order lists all detected bootable devices. Use +/- keys or F5/F6 to change the priority. The first device in the list is checked first for a bootable OS. If it fails, the next device is tried, and so on.
Enabling Virtualization Technology
Virtualization support (Intel VT-x or AMD-V) is typically found under the Advanced menu, often in a submenu called CPU Configuration or Processor Settings. Look for entries like 'Intel Virtualization Technology' or 'SVM Mode' (for AMD). Set them to Enabled. Some systems also have 'VT-d' (Directed I/O) for PCI passthrough. After enabling, press F10 to save and exit. The system will reboot. To verify, you can use tools like 'msinfo32' in Windows (look for 'Virtualization enabled in firmware') or 'lscpu' in Linux (look for 'vmx' or 'svm' flags).
Configuring Secure Boot
Secure Boot is typically in the Boot or Security menu. To enable it, you must have UEFI boot mode selected and CSM disabled (or set to UEFI only). Secure Boot may have options like 'Enabled,' 'Disabled,' or 'Custom.' In 'Custom' mode, you can manage keys (PK, KEK, db, dbx). For most users, 'Standard' or 'Enabled' is sufficient. If you install a non-Microsoft OS, you may need to disable Secure Boot or enroll a custom key. After changing, save and exit. If the system fails to boot, re-enter firmware and disable Secure Boot.
Enabling TPM for BitLocker
TPM (Trusted Platform Module) settings are usually under the Security menu. Look for 'TPM Configuration,' 'Security Chip,' or 'Intel Platform Trust Technology' (PTT). Set it to 'Enabled' or 'Available.' Some systems allow you to 'Activate' or 'Enable' TPM. You may also need to 'Clear TPM' if you are resetting the system. After enabling, save and exit. In Windows, run 'tpm.msc' to verify TPM is ready. If TPM is not detected, ensure that the firmware setting is saved and the system has been rebooted.
Enterprise Deployment Scenarios
Scenario 1: Standardizing UEFI Settings Across Thousands of Desktops
A large enterprise rolls out new Dell OptiPlex desktops with Windows 10. The IT team needs to ensure all systems have Secure Boot enabled, TPM enabled for BitLocker, and virtualization enabled for developer VMs. They use Dell Command | Configure (a tool to modify BIOS settings from Windows) to push a configuration XML via Group Policy. The XML sets:
- BootMode=Uefi
- SecureBoot=Enabled
- TpmState=Enabled
- IntelVirtualizationTechnology=Enabled
- FastBoot=Minimal
This ensures consistent security and performance. If a user accidentally changes settings, the next Group Policy refresh reverts them. Common pitfall: Some older models require CSM enabled for certain peripherals, so the team maintains a separate configuration for those models.
Scenario 2: Troubleshooting a Server That Won't Boot After a Firmware Update
A data center technician updates the firmware on a Dell PowerEdge server to patch a security vulnerability. After the update, the server fails to POST, showing a blank screen. The technician suspects the firmware update corrupted the boot configuration. They power off the server, open the chassis, and locate the CMOS clear jumper (typically labeled CLR_CMOS). They move the jumper from pins 1-2 to 2-3 for 10 seconds, then back. This resets the firmware to factory defaults. The server boots, and the technician reconfigures the boot order and RAID settings from the firmware interface. Lesson: Always back up firmware settings before an update. Many enterprise servers have a 'Save Configuration' feature that exports settings to a file.
Scenario 3: Enabling PXE Boot for Mass OS Deployment
A school district needs to deploy Windows 11 to 500 identical lab computers. They use a PXE server with Microsoft Deployment Toolkit (MDT). The firmware settings must be configured to boot from the network first. The IT team creates a bootable USB with a script that uses the UEFI Shell to change boot order variables. Alternatively, they use a tool like Dell CCTK (Client Configuration Toolkit) to set BootSeq to include the network adapter. They also ensure UEFI Network Stack is enabled in the firmware. During deployment, each computer boots from PXE, loads the WinPE image, and connects to the MDT server. Common issue: If Secure Boot is enabled, the PXE bootloader must be signed. The team uses a signed bootloader from Microsoft or disables Secure Boot during deployment (then re-enables it afterward).
What the 220-1101 Exam Tests on BIOS/UEFI Settings
The exam objectives for 220-1101 under 3.1 (Hardware) include: 'Given a scenario, install and configure motherboards, central processing units (CPUs), and add-on cards.' Within this, you must know how to configure BIOS/UEFI settings including boot order, enabling/disabling devices, date/time, passwords, virtualization support, Secure Boot, TPM, and firmware upgrades. The exam expects you to apply this knowledge in troubleshooting scenarios.
Common Wrong Answers and Why Candidates Choose Them
Confusing Secure Boot with TPM: A question asks 'Which firmware setting must be enabled to use BitLocker Drive Encryption?' Many candidates answer 'Secure Boot' because both are security features. The correct answer is TPM. BitLocker uses TPM to store the encryption key. Secure Boot only verifies the bootloader.
Thinking BIOS password prevents OS boot: A question says 'A user sets a supervisor password in BIOS. What does this prevent?' Some answer 'Prevents the computer from booting.' Actually, a supervisor password prevents unauthorized changes to BIOS settings, not booting. A user password (if set) prevents booting. This distinction is critical.
Assuming UEFI requires a mouse: While UEFI can support a mouse, it is not required. Many UEFI interfaces are still keyboard-driven. The exam may ask about UEFI features; mouse support is a possible feature but not a requirement.
Believing clearing CMOS removes passwords: Clearing CMOS (by battery removal or jumper) resets all firmware settings to defaults, including the supervisor password. However, on some enterprise systems, the supervisor password is stored in a separate NVRAM that is not cleared by CMOS reset. The exam typically assumes standard consumer behavior where clearing CMOS does remove passwords.
Specific Numbers and Terms to Memorize
CMOS battery: CR2032 coin cell, 3V.
POST beep codes: Award BIOS (1 long, 2 short = video error), AMI BIOS (8 short = video memory error).
Secure Boot key databases: PK, KEK, db, dbx.
TPM versions: TPM 1.2 (legacy) and TPM 2.0 (current). Windows 11 requires TPM 2.0.
Boot mode keys: F12 often opens boot menu (one-time boot).
Default boot order: Internal HDD/SSD, then optical drive, then USB, then network.
Edge Cases and Exceptions
UEFI boot from MBR disk: Not possible. UEFI requires GPT for booting. If you see a system with UEFI and MBR, it will not boot unless CSM is enabled.
Fast Boot and USB boot: With Fast Boot enabled, USB devices may not be initialized quickly enough to be detected for boot. To boot from USB, disable Fast Boot or use the one-time boot menu (F12).
Dual boot with Secure Boot: Some Linux distributions (Ubuntu, Fedora) support Secure Boot with a signed shim. Others may require Secure Boot disabled.
Firmware update failure: If power is lost during a firmware update, the motherboard may be unrecoverable. Some boards have a backup BIOS (dual BIOS) that can be switched manually.
How to Eliminate Wrong Answers
If the scenario involves BitLocker, look for TPM-related answers (Enable TPM, Initialize TPM). Avoid Secure Boot unless the question is about verifying bootloader signatures.
If the question is about booting from a USB, focus on boot order settings, not Secure Boot or TPM.
If the question involves virtualization, look for VT-x/AMD-V or SVM Mode. Do not confuse with 'Hyper-V' (which is a Windows feature, not a firmware setting).
If the question is about password protection, determine whether it is for accessing firmware settings (supervisor) or for booting (user).
UEFI is the modern replacement for BIOS; it runs in 32/64-bit mode, uses GPT, and supports Secure Boot.
Secure Boot requires UEFI and a GPT disk; it ensures only signed bootloaders execute.
TPM (Trusted Platform Module) must be enabled in firmware for BitLocker Drive Encryption.
Virtualization support (Intel VT-x or AMD-V) must be enabled in firmware to run 64-bit VMs.
Boot order determines which device the firmware tries to boot from first; USB boot often requires Fast Boot disabled.
Clearing CMOS (by removing battery or using jumper) resets all firmware settings to defaults.
A supervisor password restricts access to firmware settings; a user password restricts booting.
CSM (Compatibility Support Module) allows UEFI to boot legacy OS from MBR disks; disabling CSM is required for Secure Boot.
Fast Boot can prevent keyboard detection during POST; use Windows advanced startup to access firmware if needed.
Firmware updates (flashing) carry risk of bricking the motherboard if power is lost; use a UPS and backup settings.
These come up on the exam all the time. Here's how to tell them apart.
BIOS (Legacy)
16-bit real mode, limited to 1 MB address space
Uses MBR partition table, max 2 TB disk, 4 primary partitions
Sequential POST, slower boot
No Secure Boot, no built-in malware protection
Text-based interface, keyboard only
UEFI
32-bit or 64-bit protected mode, large address space
Uses GPT partition table, supports >2 TB disks, up to 128 partitions
Parallel device initialization, faster boot
Supports Secure Boot, verifies bootloader signatures
Can support graphical interface and mouse input
Mistake
UEFI is just a newer version of BIOS with a graphical interface.
Correct
UEFI is fundamentally different from BIOS. It runs in 32-bit or 64-bit mode, uses GPT partitioning, supports Secure Boot, and initializes devices in parallel. The graphical interface is optional; many UEFI implementations are text-based.
Mistake
Clearing CMOS only resets the date and time.
Correct
Clearing CMOS resets all firmware settings to factory defaults, including boot order, passwords, virtualization settings, and Secure Boot configuration. It does not affect the OS or installed software.
Mistake
Secure Boot prevents all malware from loading.
Correct
Secure Boot only verifies the bootloader's signature. Once the OS kernel is loaded, Secure Boot has no control over subsequent drivers or applications. It does not replace antivirus software.
Mistake
TPM is only used for BitLocker.
Correct
TPM has many uses: storing encryption keys for BitLocker, verifying system integrity with Measured Boot, storing credentials for Windows Hello, and supporting virtual smart cards. It is a general-purpose security chip.
Mistake
You cannot access UEFI settings if Fast Boot is enabled.
Correct
Fast Boot can make it difficult to press the setup key because the system boots too quickly. However, you can still access UEFI settings from within Windows via the advanced startup options (Settings > Update & Security > Recovery > Advanced Startup).
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The most reliable method is through Windows: go to Settings > Update & Security > Recovery > Advanced Startup, click 'Restart Now.' After reboot, choose Troubleshoot > Advanced Options > UEFI Firmware Settings. Alternatively, during POST, press the key displayed on screen (often Del, F2, F10, F12, or Esc). If Fast Boot is enabled, the key press window may be very short; using the Windows method is easier.
A user password (or power-on password) is required to boot the computer. Without it, the system will not start. A supervisor password (or administrator password) is required to enter the firmware setup utility to change settings. If only a supervisor password is set, the system boots without a password, but you need the password to modify firmware settings. If both are set, you need the user password to boot and the supervisor password to access setup.
Enter firmware setup (see FAQ 1). Navigate to the Advanced or CPU Configuration menu. Look for 'Intel Virtualization Technology' (Intel) or 'SVM Mode' (AMD). Set it to Enabled. Also enable 'VT-d' if available. Save and exit. After reboot, verify in Windows with Task Manager > Performance > CPU: 'Virtualization: Enabled' or in Linux with `grep -E 'vmx|svm' /proc/cpuinfo`.
This usually means the firmware cannot find an operating system on the new drive. Check the boot order in firmware: ensure the new SSD is listed and is first. Also confirm that the partition style (MBR or GPT) matches the firmware mode (BIOS uses MBR, UEFI uses GPT). If you cloned the old drive, ensure the clone was successful. If the drive is not detected, check SATA/power connections or try a different SATA port.
There are three methods: (1) In firmware setup, look for 'Load Optimized Defaults' or 'Load Setup Defaults' under the Save & Exit menu. (2) Remove the CMOS battery (CR2032) for 1-5 minutes, then reinstall. (3) Use the CLR_CMOS jumper on the motherboard (consult manual). All methods reset all settings, including boot order, passwords, and overclocking settings.
Secure Boot is a UEFI security feature that verifies the digital signature of the bootloader before allowing it to execute. It prevents bootkits and rootkits from loading. You should enable it if your OS supports it (Windows 10/11, most modern Linux distros). If you need to boot an older OS or unsigned bootloader, disable it. Enabling Secure Boot requires UEFI mode and a GPT disk; CSM must be disabled.
First, identify your motherboard model (via System Information or `wmic baseboard get product,manufacturer`). Download the latest firmware from the manufacturer's website. Methods: (1) Use a manufacturer-provided utility within the OS (e.g., Dell Command Update). (2) Create a bootable USB with the firmware file and boot into a flash utility (e.g., ASUS EZ Flash). (3) Some UEFI have a built-in internet update feature. Always use a UPS to prevent power loss during the update. Do not interrupt the process.
You've just covered BIOS and UEFI Settings — now see how well it sticks with free 220-1101 practice questions. Full explanations included, no account needed.
Done with this chapter?