Should I disable secure boot on MacOS to install Windows?

I have to disable secure boot on my Mac to install Windows on a external drive. I don't have any idea what boot, recovery mode, etc. is. According to the steps which I follow, I have to disable secure boot. After doing this, does my MacBook have a security problem?


Here is the Startup Security Utility's dialog

enter image description here

which shows and clearly describes the options and what they do.

The security problem with "allow booting from external media" is that your Mac can be booted by any external drive. Someone with physical access to your Mac could plug-in their own USB drive, boot it, and possibly read or copy files on your internal drive.

The use of FileVault mitigates against this, of course.

As pointed out, Allow/Disallow External Boot is different from Secure Boot settings, which control the status of the OSes that can boot.

Full Security only allows OSes that have a valid signed security certificate from Apple can run. The risks from reducing this security mostly involve downloading an OS that you think is from Apple but which has been compromised in some way. Apple can 'turn off' security certificate (and they can also expire), which would prevent old OSes from running.


You should not have to disable Secure Boot to install and operate Windows on an external drive. I have installed Windows 10 to both Thunderbolt 3 and USB drives on a 2018 Mac mini. The instructions for installing to a USB drive are given here

The Intel Mac Startup Security Utility settings for operating systems installed on external drives are given below.

macOS Windows Linux
Secure boot Full, Medium or No Security Full, Medium or No Security No Security
External boot Allow Allow Allow

You should not need to turn off Secure Boot unless you desired an operation system other than macOS or Windows 10.

Setting Secure Boot set No Security increases the possibility of your Mac booting nefarious software. For example, while running Windows on the external drive, bad software could instruct the firmware to execute the nefarious software on the next boot instead of macOS or Windows.

Allowing external booting would permit the possibility someone could boot an installer or operating system from an external drive and access or erase your data. With external booting, you can still protect someone from reading your data by using encryption. However your Mac only has hardware support for encryption for macOS. Windows and other operating system may offer software only based encryption.