Let’s discuss “Secure Boot”

Topic

New Reply

It appears Windows 11 will also require Secure Boot to be Enabled in the BIOS/UEFI.

What needs to be done to change the BIOS/UEFI Secure Boot from Disabled to Enabled? I read numerous articles with no clear answer.

Some indicate simply go into the BIOS/UEFI settings and Enable.  Others say you need to re-install Window 10 and Applications and reset the BIOS/EUFI back to Factory Defaults

My current system was built by Maingear, has an ASUS Rog Strix Z370-E Motherboard and Secure Boot has always been OFF.

I have a TPM Header but no TPM chip.

Windows 10 Pro x64 v22H2 and Windows 7 Pro SP1 x64 (RIP)

Reply | Quote

Replies

If you’re switching from “Legacy” to EUFI BIOS you will need to re-install the OS.

Reply | Quote

HarryLeeSmith wrote:

If you’re switching from “Legacy” to EUFI BIOS you will need to re-install the OS.

Not necessarily.  Converting a re-build from MBR to GPT

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

1 user thanked author for this post.

Ascaris

Reply | Quote

My System Information panel shows  BIOS MODE:  UEFI,  Hard Drives are GPT.

ASUS Mother Board has something called CSM (Compatibility Support Module) which allows support for Legacy devices/drives and provides the ability to boot from USB and CD.  Secure Boot is Disabled.

I recall reading topics several years ago when I first received this computer that CSM and Secure Boot cannot both be on at the same time.  And if Secure Boot is selected (CSM disabled) you would not see USB Storage devices in the Boot Options Menu unless they contained an EFI boot directory on the device.

Rather confusing, but needs further discussion if MS is requiring Secure Boot to be turned on – and how to do it.

 

Windows 10 Pro x64 v22H2 and Windows 7 Pro SP1 x64 (RIP)

Reply | Quote

How will requiring secure boot affect using flash USB recovery sticks at boot time?

Windows 10 Pro 22H2

Reply | Quote

No difference. The OP was talking about something different.

Note:

1) Backup software should be able to create proper recovery media.
2) If you use the Microsoft Media Creation Tool, you’re fine.
3) If you use the Win 10 “Recovery Drive App”, you’re fine.
4) If you use 3rd party tools (e.g. Rufus) to create rescue media, be sure to follow UEFI instructions.

Reply | Quote

Are you sure about this? Disabling Legacy boot could disable the option to boot from USB.
Im am absolutely sure, that if I create USB with Rufus from W10 ISO, I have to disable secure boot and enable legacy ROM in BIOS in order to be able to boot from USB.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

Reply | Quote

I can confirm that using Rufus to create a Win10 boot USB key works and boots properly with Secure boot enabled on my Lenovo ThinkPad P52.

Use Rufus with UEFI-NTFS option (from my notes).

Martin

1 user thanked author for this post.

doriel

Reply | Quote

ve2mrx wrote:

I can confirm that using Rufus to create a Win10 boot USB key works and boots properly with Secure boot enabled

What about if use Windows Media Creation Tool?

Windows 10 Pro x64 v22H2 and Windows 7 Pro SP1 x64 (RIP)

Reply | Quote

It will create a Windows bootable device compatible with UEFI Secure Boot as it always has!

Martin

Reply | Quote

Yep, you’re pretty much right on Tex. CSM is a no go. Additionally, any add-in cards (e.g. video) must support UEFI.

Until this past year, I never enabled secure boot on Win 10 machines either (like you, I also used GPT). Nor did I enable TPM until last week. I haven’t found any obstacles with both now enabled, but I haven’t attempted to boot Linux from USB with TPM yet.

What I did is this:

1) Disbled CSM and rebooted
2) Went into the BIOS again and enabled/configured Secure Boot and rebooted
3) Booted into Win 10

(This will NOT work if your boot drive is MBR – it must be GPT)

I can tell you this. Recently I was working with an MSI beta BIOS that booted into Windows 10 just fine. I disabled CSM, enabled Secure Boot, rebooted, then nothing …. panic. I rebooted into the BIOS, disabled Secure Boot and voila. Once the finished BIOS was released, I reflashed and Secure Boot was bootable again. Nothing was damaged on the GPT disk subsystem (2 PCIe4 m.2 and 1 SATA SSD).

So …. my suggestion is to give it a try. Then go back into the BIOS and enable TPM.

When I flash the BIOS on this computer (x570, AMD 3800x), it has a tendency to revert back to CSM enabled on boot. I then have to go back into the BIOS, disable it, and reset Secure Boot before booting into Windows.

Each mobo manufacturer does things a bit different in their firmware implementation (wording, presentation) which adds to the confusion.

Microsoft does make a tool to convert MBR to GPT, but it isn’t for non-Geeks.

Convert MBR partition to GPT (MBR2GPT.EXE)

Reply | Quote

Carl wrote:

4) If you use 3rd party tools (e.g. Rufus) to create rescue media, be sure to follow UEFI instructions.

Thanks. So you are confirming that non-UEFI boot media will no longer to continue to work on systems that have “Secure Boot” enabled in the BIOS, correct?

Windows 10 Pro 22H2

Reply | Quote

Yeah, I guess our anything goes days are diminishing. Initially, when Secure Boot was announced, I was hands down against it. While I still question it’s value as a strong security measure (it was quickly hacked), it’s not as annoying to me as it once was.

We can still multi-boot (I have a Macrium backup recovery bootloader), run Linux distros from USB, etc. On any machines I build going forward, supporting legacy (non-UEFI) hardware won’t be an issue either.

When’s the last time you tried to boot DOS from USB? Since most mobos don’t require DOS boots for firmware updates anymore, it’s less relevant. I get my asteroids nostalgia gaming kicks by using DOS emulators.

If for some reason you do need to boot non-UEFI, you can disable it in the BIOS, do whatever, then re-enable when finished. As long as your Linux repair tools understand NTFS and GPT, you should be OK.

Reply | Quote

JohnW wrote:

Thanks. So you are confirming that non-UEFI boot media will no longer to continue to work on systems that have “Secure Boot” enabled in the BIOS, correct?

Carl wrote:

Yeah, I guess our anything goes days are diminishing. I

So I am still confused about how we are to be able to boot from our USB sticks and USB CD players without CSM enabled.  Before it being enabled, these devices would not show up in my F8 Boot Options (ie: Macrium Recovery stick, or the CD Drive unless it contained a CD disk that contained that EFI/boot directory such as the Windows installation disk).

Would we have to enter the UEFI/Bios and turn CSM on (Secure Boot off) to utilize these? Is that even possible without causing other problems within the UEFI/Bios?

Windows 10 Pro x64 v22H2 and Windows 7 Pro SP1 x64 (RIP)

Reply | Quote

USB drives can use MBR or GPT like other forms of mass storage. If a USB drive did not show up when CSM was turned off, that drive must have used a MBR partition scheme and boot setup. Some USB drive programs, like Rufus in Windows, can write any given .iso and set it up to boot via GPT/UEFI or MBR/legacy, or a hybrid mode that will work on either one.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

Reply | Quote

But USB CD players don’t have partitions and need to rely on the content of the actual CD disk.  I also don’t recall Macrium Recovery creator asking to choose a partition scheme when creating a USB or CD program.  What about the Windows Media Creation Tool?

And aren’t all USB sticks MBR out of the package?

Windows 10 Pro x64 v22H2 and Windows 7 Pro SP1 x64 (RIP)

Reply | Quote

I would guess the Macrium rescue USB and Windows recovery USB would both use the hybrid design that can boot on either setup.

As for optical drives, they use their own format that is neither GPT nor MBR. They use ISO-9660 (or more properly one of the extensions, El Torito or Joliet) to boot from the disc natively. I am not sure what the implications are as far as secure boot, as I have never used an optical disc on a device using secure boot.

It is possible that some optical drives can emulate a hard drive and boot that way, in which case it would be subject to the same restrictions.

Since a USB device can be any one of a number of types, it is up to that device to identify itself so that the PC knows how to handle it. This makes it possible for drives to emulate other types, like a USB drive that pretends to be a floppy drive.

I have no idea what USB drives are out of the box. They’re not bootable out of the box, though, so MBR is no limitation there.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

Reply | Quote

It depends on the storage mode used by the drive, most are basically USB big floppy/Zip mode and don’t have/use a partition table. You can change this to USB fixed disk and use partitions however.

Martin

Reply | Quote

I think they are formated as FAT32?  Anyway, what/how do you specifically do to them to make them bootable with Secure Boot?

Windows 10 Pro x64 v22H2 and Windows 7 Pro SP1 x64 (RIP)

Reply | Quote

Windows bootable USB drives are formatted as NTFS with Rufus, use the “UEFI-NTFS” option and it should boot fine if your BIOS isn’t broken. This has no connection to partitions on the installation drive, but once installed, the OS must use GPT partitions.

Secure Boot is something that the boot image makes possible as it is pretty much validation of the integrity of the bootloader (it is signed). It has to be baked in the image and Microsoft has baked this in since Windows 7 (I used Windows 7 in Secure Boot). All you need to do is deliver the image in a way acceptable to the BIOS for the signature to be verified and boot to begin.

Reply | Quote

Macrium will select the appropriate boot scheme when creating boot media. You of course can override it if you choose.

I have Secure-Boot on so I can check the box to enable MBR if I so choose. All my Macrium Recovery USBs use secure boot w/o issue.

HTH 😎

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

1 user thanked author for this post.

Cybertooth

Reply | Quote

Does TPM (specifically Intel PTT) work without Secure Boot being enabled?  Can PTT be turned on without Secure Boot?  And maintaining CSM setting?

Windows 10 Pro x64 v22H2 and Windows 7 Pro SP1 x64 (RIP)

Reply | Quote

Secure Boot builds on TPM but I don’t know if you can have it without some form of TPM.

You can, however, use TPM independently of Secure Boot (like for storing fingerprints/passwords used to boot the machine).

Secure Boot disables CSM because there’s no way to maintain the security of the boot chain if you use it to boot. TPM is not involved directly in the boot chain but is a “library” of security tools/certificates used by the boot process (and later OS) if present. You can use TPM while CSM is enabled but Secure Boot can’t be used. However, the machine and the OS can still benefit from the presence of the TPM.

Martin

Reply | Quote

Let me try this again as I would like to get a “how to” answer:

What needs to be done to change my UEFI bios “Secure Boot” from Disabled to Enabled?

My current system was built by Maingear, has an ASUS Rog Strix Z370-E Motherboard with Intel i7-8700 processor. My system info shows the Bios Mode as: UEFI and my Hard Drives both show as GPT Partitions.

My system came with Secure Boot set as Disabled. Under the Secure Boot Option “Enabled” is grayed out and there are 2 selections available for OS Type: Windows UEFI Mode or Other OS – mine shows “Other OS.”

The board has a CSM (Compatibility Support Module) which came “Enabled” which then enables sub-menus.  The Boot Devices Control sub-menu was set at “UEFI only” from Maingear, but this would not allow me to see/select my usb devices to boot from so we changed the selection to: “UEFI and Legacy OPROM”).

I read conflicting info that says you can’t have CSM and Secure Boot at the same time, but then why does CSM provide the “UEFI Only” option?  Also since Windows 10 was probably installed with settings described above, would Windows have to be reinstalled if Secure Boot is activated?

Pls advise steps to take to Enable Secure Boot for my ASUS system.

 

Windows 10 Pro x64 v22H2 and Windows 7 Pro SP1 x64 (RIP)

Reply | Quote

The CSM is there to enable you to boot media which would cause the boot process to fail the UEFI firmware’s HSTI based security tests. Failing that test means the Intel PTT (SMM for Dell) will not give access to bitlocker credentials generated by the UEFI mode BIOS to avoid CSM being leveraged as a method of sidestepping the bitlocker security by virtue of allowing easy low level access to the drive (for example after  a forced reboot while Windows was loaded and the drive was thus partially decrypted) and any hardware information which might be used in credential generation.

If you have no TPM you’re stuck on Windows 10 (or a less secure Windows 11) as I am, though I think it unlikely Microsoft will remove the bypass on that option however, as OEMs need to be able to generate a non encrypted software image for their hardware for deployment purposes. The policy to apply bitlocker in this case propagates via the EFI part of UEFI to Windows using keys supplied by the BIOS security process so it will be interesting to see if Microsoft go for bitlocker “out of box” without telling anyone as they did with previous versions of Windows (and as has happened for some years with large OEM systems), or maybe reminding users to back up the recovery key this time!)

I think this information was buried in the FFS (Firmware File System – a FAT12 scratch in flash..) for the few who knew it existed back then- now if you need to find out about that you need to look for the “Windows Platform Binary Table” (then realise you can’t do much with it and leave it well alone). The malware creators worked out some systems by L####o left this area unlocked so BIOS updates there were really critical as it offered extreme malware persistence. Chipsec lets you peek under the bonnet, but there’s always more to break than fix in trying to actually do anything there. I saw a L####o system which was hacked – it produced a boot message about UEFI variables being corrupt and you had to F1 that at every POST. Your couldn’t recovery the machine in CSM mode (for one without UEFI you had to supply a “F6” driver  to get the SATA controller working, a driver which was never written.)

Basically your choice is CSM, MBR partitions, and no security at BIOS level or completely secured up to the HSTI requirements with UEFI and GPT partitions. In this setting, even the boot menu can decide to turn off if a valid OS is on the drive, to the point its sometimes required to remove the boot drive and POST to a fail (of POST and thus HSTI) before reinstating the drive simply to get the boot menu back, for instance where malware has broken the Windows recovery options, so beware. On the plus side the UEFI Bios supplies all the software support to get the OS installed so you don’t have to fish around for a “F6 driver” or put up with a display which isn’t useable (mainly laptops and the like; UEFI support on desktop cards seems somewhat less of a thing)

You can’t have a half way – Microsoft have thrown you a bone by allowing bitlocker if you manage it yourself.  Otherwise you’d have to buy something like Bestcrypt (Jettico) as the Trucrypt project went south (details on wikipedia). Guess they could snatch that bone back through Windows update though – or even worse decide the OS doesn’t qualify for support if your machine isn’t to spec, should it suit them.

Mainly google the capitalised bits and look for Microsoft documentation.. if you really want to get that involved. Myself I would say you should use crystaldiskinfo or such to check the running hours on your drive (save the log, it’s easier to understand as the GUI can be a bit back to front!). Align that value with the MTBF (mean time between failure) on your drive’s datasheet and decide if you need a new drive yet (as the work of installing a new OS can push a flaky drive to failure). If you have the old drive unchanged and you have backed up your files so if that drive was flaky it doesn’t matter, hopefully there is little to go wrong installing on a new drive!

Follow the hints everywhere on this site about backing up. Consider solutions for whole drive backup by all means but most definitely get a good size media, check it out thoroughly, and back up files, folders, bookmarks and whatever else is good for you by hand on that media and put it aside well away from the machine and workspace until you’ve done with the operating system.

You should actually (BIOS support permitting) be able to install Windows 7 in UEFI (and activate by phone). [Technical note –  you won’t need the F6 driver if UEFI is operating, partition the drive from the command prompt on the boot media (4 partition GPT will do) and then start setup from the same media manually.] Then its a case of upgrade to 10 and see how it behaves. Windows activation can decide you have a new machine.. as the drive details might differ and any UEFI supported devices will have differing hardware IDs. You can always explain when your activation call is passed to a real person if it does go belly up that way I guess…

1 user thanked author for this post.

wavy

Reply | Quote

Tex265 wrote:

Let me try this again as I would like to get a “how to” answer:

What needs to be done to change my UEFI bios “Secure Boot” from Disabled to Enabled?

@oldguy  Thank You for your response and the amount of time that it must have taken to write that up, but honestly, I don’t understand much of anything you are discussing – way over my head (PTT?  Bitlocker?)

I simply (hopefully) need some basic answers as to whether, if I can, and how to Enable “Secure Boot” (and what to do regarding CSM settings) on my ASUS motherboard.

Windows 10 Pro x64 v22H2 and Windows 7 Pro SP1 x64 (RIP)

Reply | Quote

Tex265 wrote:

UEFI bios “Secure Boot” from Disabled to Enabled?

Try Microsoft’s solution : Re-enable Secure Boot

https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/disabling-secure-boot

Reply | Quote

OK, lets dive into the manual (which for once has more than the short cut key under bios settings) – https://dlcdnets.asus.com/pub/ASUS/mb/LGA1151/ROG_STRIX_Z370-E_GAMING/E13238_ROG_STRIX_Z370-E_GAMING_UM_WEB_082417.pdf

I guess the first thing is I assume you have a single drive and you are set to ACHI rather than a RAID configuration with Intel RST (as that comes in varying versions and may or may not work, and may or may not need a specific drive configuration..)

Let’s jump to the chase.. If you change something write down where the setting is, what it was and what you changed it to. Sometimes options change as you alter other settings so work methodically.

This assumes you have followed all the backing up hints you need to and are either starting over or are installing on a clean drive.

Section 3.8,

Fast boot. Switch it off until you have the software set up, then turn it on.

CSM Set to disabled strictly, though leaving it as auto gives some flexibility – the boot menu will display the boot mode for each device also if you’re lucky.

Boot devices control. Need to set this to UEFI only.

Boot from Network. Set to Ignore. Just in case.

Boot from storage Devices. Set to UEFI driver first

Boot from PCI .. Set to UEFI driver first. Just in case. I am assuming your controller is part of the motherboard.

Secure boot. Enable.

Exit via save changes and reset.

The only thing which isn’t completely clear is if the above will enable UEFI mode of itself. There were instances where you had to enter RAID mode for this (that is to say, follow section 4.1.2 of the manual) and you could create a single volume with the controller in RAID mode on one drive. For that I am afraid some experimentation will be required.

Alternatively can you still contact the people who built it? They might have built some in UEFI mode even if yours isn’t and might be able to clarify further to save you the time.

Final note:

Nobody has mentioned how to tell if the original installation is installed with the GPT layout needed for UEFI mode. To do this you can

Elevate a CMD prompt.

type the last four lines below,  one line at a time. If list part returns a partition as “reserved” that is the  the MSR partition, and the machine is partitioned in GPT already assuming it boots is likely in UEFI mode. (see snip attached – it’s marked). If however the reserved partition is absent you have a standard MBR (Windows 7) layout – any recovery partition likely being created when you did the on line “get Windows 10” upgrade when Windows 10 was new..

diskpart

select disk 0

list part

exit

Reply | Quote

oldguy wrote:

I guess the first thing is I assume you have a single drive and you are set to ACHI rather than a RAID configuration with Intel RST

I have 2 hard drive disks, both are ACHI and GPT partioned.

oldguy wrote:

This assumes you have followed all the backing up hints you need to and are either starting over or are installing on a clean drive.

I have backups (Macrium) of my hard drives. No known way to make a backup of my UEFI bios settings.  And I do not intend to start over or install on a clean drive.

All I want to do (hopefully) is to go into the existing UEFI and make a few setting adjustments and be done.  Not looking to reinstall Windows or start over.

oldguy wrote:

CSM Set to disabled strictly, though leaving it as auto gives some flexibility – the boot menu will display the boot mode for each device also if you’re lucky.

Tex265 wrote:

The board has a CSM (Compatibility Support Module) which came “Enabled” which then enables sub-menus. The Boot Devices Control sub-menu was set at “UEFI only” from Maingear, but this would not allow me to see/select my usb devices to boot from so we changed the selection to: “UEFI and Legacy OPROM”).

So are you saying to completely disable the CSM Setting as I think if I do that none of the other CSM options you list below will be available to select. Manual has notation “The following items appear only when you set the Launch CSM to Enabled”.

oldguy wrote:

Boot devices control. Need to set this to UEFI only.

Boot from Network. Set to Ignore. Just in case.

Boot from storage Devices. Set to UEFI driver first.

Boot from PCI .. Set to UEFI driver first.

Just in case. I am assuming your controller is part of the motherboard.

Windows 10 Pro x64 v22H2 and Windows 7 Pro SP1 x64 (RIP)

Reply | Quote

Sounds to me like the CSM set to enabled has arrived of itself – The only thing I can think of is at some point you used the boot menu to boot something that needed CSM and it stayed enabled.

From what you’ve said, I’m with Alex5723 – as per the Microsoft article, turn CSM off, ie disabled. If it doesn’t boot there would have to be something pretty odd going on

You have the secure boot by virtue of not selecting an insecure boot, and supporting UEFI file system so it should all be fine. The thing you might notice is it gets very hard to access the boot or BIOS menus – you’ll need to use the Windows recovery options to access the BIOS settings to enable fast boot at which point you shouldn’t see a “seam” between the POST logo and Windows starting..

all the best..

 

 

Reply | Quote