Dec 06 2021 08:55 AM
Hello and greetings from Portugal!
I'm noticed something strange when checking requisites for Windows 11 upgrade.
Some machines, although they have SecureBoot enabled, the registry key "HKLM\SYSTEM\CurrentControlSet\Control\SecureBoot\State" as the UEFISecureBootEnabled equals to 0.
Does anyone has this issue?
Does anyone knows how to upg
Dec 09 2021 03:29 AM
Dec 09 2021 03:37 AM
Dec 10 2021 02:50 AM
Jul 28 2022 12:02 AM
Jul 28 2022 12:15 AM - edited Jul 28 2022 12:15 AM
Hi @carlos1015!
It will depend of the device, but, here's our procedure for most Lenovo devices:
- Enter "UEFI"
- Go to "Security"
- Then select "Secure Boot"
- Select "Factory Keys"
This will restore the factory keys.
It worked for us on all devices.
Note: Be aware that if you're using BitLocker it may ask you the recovery key.
Jul 28 2022 12:28 AM
Jul 28 2022 12:33 AM
Jul 28 2022 10:13 PM
@carlos1015Basically the OP was trying to figure out how to manually configure Secure Boot from within UEFI (on most newer computers you can set the UEFI firmware to do this automatically.) Typically you don't have to reset all the platform keys. It will automatically fetch them and install them, if the bootloader is signed, and it will set up the TPM for you as well. Read the entire post before trying anything, so you fully understand what you're getting into. You can also do this in a VM or with WinPE to experiment first, without touching or modifying your current setup:
If Secure Boot is enabled, the firmware examines the bootloader's digital signature to verify that it hasn't been modified. If the bootloader is intact, the firmware starts the bootloader only if one of the following conditions is true:
A.) The bootloader was signed using a trusted certificate. For PCs certified for Windows, the Microsoft certificate is trusted.
B.) The user has manually approved the bootloader's digital signature. This action allows the user to load non-Microsoft operating systems.
Secure Boot -> https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process#secure-boot
You can easily verify your current setup via the command prompt:
Microsoft Windows [Version 10.0.22000.832]
(c) Microsoft Corporation. All rights reserved.
C:\Users\<user_name_here>\Desktop>BCDEDIT /V
C:\Users\<user_name_here>\Desktop>BCDEDIT /ENUM ACTIVE
On hybrid UEFI / BIOS setups, with most ACER firmware on pre-built computers, it's automatic. The only issue is that you need to make sure you have a UEFI bootloader, and it has the correct signature. Most of the time, you can refresh or merge the bootloader if it is corrupt, but by default it should ALREADY be signed. If not, then you might have to verify your current setup to see what type of disk you have, and then reinstall the bootloaders yourself:
NOTE: This is just an example of what manually installing a bootloader looks like. This is not what you would do in all possible situations either. Often the bootloader has no problem. For some it doesn't work, just because a person does not even have a signed UEFI bootloader installed to begin with:
Microsoft Windows [Version 10.0.22000.832]
(c) Microsoft Corporation. All rights reserved.
C:\Users\<user_name_here>\Desktop>diskpart
Microsoft DiskPart version 10.0.22000.653
Copyright (C) Microsoft Corporation.
On computer: <user_name_here>
DISKPART> list disk
Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online xxxx GB 0 B *
DISKPART> select disk 0
Disk 0 is now the selected disk.
DISKPART> list partition
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 System 260 MB 1024 KB
Partition 2 Reserved 16 MB 261 MB
Partition 3 Primary xxx GB 277 MB
DISKPART> select partition 1
Partition 1 is now the selected partition.
DISKPART> assign letter=s
DiskPart successfully assigned the drive letter or mount point.
DISKPART> list volume
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 S FAT32 Partition 260 MB Healthy System
Volume 2 C Windows NTFS Partition xxx GB Healthy Boot
DISKPART> exit
Leaving DiskPart...
C:\Users\<user_name_here>\Desktop>BCDBOOT C:\Windows /s S: /f UEFI
If you have an MBR disk with no EFI or MSR partitions, then of course you will have problems, as secure boot is mainly only supported with an EFI / UEFI bootloader. In most cases, it's smarter to utilize a GPT partition layout for compatibility-reasons, instead of MBR, even if the drive is smaller than 2GB. Some types of BIOS / UEFI won't recognize it unless it's GPT for UEFI. Typically the EFI partition is between 100MB to 260MB (256MB,) and the MSR partition is 16MB (On Windows 7 it was 500MB for MSR.) If your HDD uses Advanced Format (512e,) which you will have to manually check ahead of time, then you can't use a 100MB EFI partition, it has to be 260MB (256MB in actuality. In diskpart for a FAT32 EFI partition, which requires use of binary prefixes, the size is listed as 260MB.) If you dual or triple boot with Linux / Unix, then it requires a 260MB (256MB) EFI partition. If an entry is corrupt, it's MUCH smarter to merge a bootloader, regardless of the situation (especially with dual or triple boot setups,) than it would be to just clean off the entire EFI partition and start over. Regardless of what setup you have, you may have to also add a boot code using Bootsect for the System Drive (which often has a volume letter of C.) Here are some command line arguments / programs, which help you set up a bootloader, if you are migrating a Windows Image from one PC to another:
"If there is already a boot entry for this Windows partition, by default, BCDBoot erases the old boot entry and its values. Use the /m option to retain the values from an existing boot entry when you update the system files." -> https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/bcdboot-command-line-options-techref-di?view=windows-11#how-it-works
BCDEDIT /STORE /?
BCDEDIT /SET /?
BCDEDIT /? FORMATS
BCDBOOT C:\Windows /s S: /f UEFI
BCDBOOT C:\Windows /s S: /f BIOS
BCDBOOT C:\Windows /s S: /f ALL
BCDBOOT C:\Windows /m {insert_windows_boot_loader_identifier_here}
BCDEDIT /STORE S:\EFI\Microsoft\Boot\BCD /V
BCDEDIT /V
BCDEDIT /ENUM {current}
BCDEDIT /ENUM ACTIVE
BCDEDIT /DELETEVALUE {default} <INSERT_VALUE_HERE>
BCDEDIT /SET {bootmgr} device partition=S:
BCDEDIT /SET {default} device partition=C:
BCDEDIT /SET {default} osdevice partition=C:
BCDEDIT /SET {bootmgr} device partition=\Device\HarddiskVolume2
BCDEDIT /SET {default} device partition=\Device\HarddiskVolume1
BCDEDIT /SET {default} osdevice partition=\Device\HarddiskVolume1
BCDEDIT /STORE S:\EFI\Microsoft\Boot\BCD
BCDEDIT /STORE S:\EFI\Microsoft\Boot\BCD /SET {bootmgr} device partition=S:
BCDEDIT /STORE S:\EFI\Microsoft\Boot\BCD /SET {default} device partition=C:
BCDEDIT /STORE S:\EFI\Microsoft\Boot\BCD /SET {default} osdevice partition=C:
BCDEDIT /STORE S:\EFI\Microsoft\Boot\BCD
BCDEDIT /STORE S:\EFI\Microsoft\Boot\BCD /SET {bootmgr} device partition=\Device\HarddiskVolume2
BCDEDIT /STORE S:\EFI\Microsoft\Boot\BCD /SET {default} device partition=\Device\HarddiskVolume1
BCDEDIT /STORE S:\EFI\Microsoft\Boot\BCD /SET {default} osdevice partition=\Device\HarddiskVolume1
For information about additional types for particular applications,
run "bcdedit /? TYPES <apptype>", where <apptype> is one of the following:
BOOTAPP Boot applications. These types also apply to the boot manager,
memory diagnostic application, Windows OS loader, and the resume
application.
BOOTMGR Boot manager.
BOOTSECTOR Boot sector application.
CUSTOMTYPES Custom types.
DEVOBJECT Device object additional options.
FWBOOTMGR Firmware boot manager
MEMDIAG Memory diagnostic application
NTLDR OS loader that shipped with earlier Windows OS
OSLOADER Windows Vista OS loader
RESUME Resume application
"Boot Settings" -> https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set#boot-settings
"BCDEdit Options Reference" -> https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcd-boot-options-reference
"Boot Parameters to Configure DEP and PAE" -> https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/boot-parameters-to-configure-dep-and-pae
"Bootsect Command-Line Options" -> https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/bootsect-command-line-options
"BCDBoot Command-Line Options" -> https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/bcdboot-command-line-options-techref-di?view=windows-11#command-line-options
"Boot to a virtual hard disk: Add a VHDX or VHD to the boot menu" -> https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/boot-to-vhd--native-boot--add-a-virtual-hard-disk-to-the-boot-menu