Microsoft Technical Takeoff: Windows and Microsoft Intune
Oct 24 2022 07:00 AM - Oct 27 2022 12:00 PM (PDT)

SecureBoot Enabled but UEFISecureBootEnabled equals 0

Contributor

Hello and greetings from Portugal!

 

I'm noticed something strange when checking requisites for Windows 11 upgrade.

Some machines, although they have SecureBoot enabled, the registry key "HKLM\SYSTEM\CurrentControlSet\Control\SecureBoot\State" as the UEFISecureBootEnabled equals to 0.


Does anyone has this issue?
Does anyone knows how to upg

8 Replies
AFAIK, UEFISecureBootEnabled at Value 0 should correspond to secure boot OFF.

I don't know if its a known bug but you can always report it to Feedback Hub.


It's solved! :)

In my case, although the secure boot was enabled, the issue was the "Platform Mode" option was "Setup Mode" enabled. For the registry key correctly update, the option needs to be "User Mode".

To change to "User Mode" I needed to restore factory keys.

After that, everything worked fine and the registry key was correctly changed to 1.
Thanks for sharing the update, glad it is resolved!

Hello, I have the same problem, would you be so kind as to tell me how is the procedure to restore the factory keys

Hi @carlos1015!
It will depend of the device, but, here's our procedure for most Lenovo devices:
- Enter "UEFI"
- Go to "Security"
- Then select "Secure Boot"
- Select "Factory Keys"

This will restore the factory keys.
It worked for us on all devices. 

 

Note: Be aware that if you're using BitLocker it may ask you the recovery key.


my computer is an acer nitro 5 and i only get the option to put secure boot on or off

What could I do in this case since I don't get the option for factory keys?

@carlos1015Basically the OP was trying to figure out how to manually configure Secure Boot from within UEFI (on most newer computers you can set the UEFI firmware to do this automatically.) Typically you don't have to reset all the platform keys. It will automatically fetch them and install them, if the bootloader is signed, and it will set up the TPM for you as well. Read the entire post before trying anything, so you fully understand what you're getting into. You can also do this in a VM or with WinPE to experiment first, without touching or modifying your current setup:

If Secure Boot is enabled, the firmware examines the bootloader's digital signature to verify that it hasn't been modified. If the bootloader is intact, the firmware starts the bootloader only if one of the following conditions is true:

A.) The bootloader was signed using a trusted certificate. For PCs certified for Windows, the Microsoft certificate is trusted.
B.) The user has manually approved the bootloader's digital signature. This action allows the user to load non-Microsoft operating systems.

Secure Boot -> https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process#secure-boot

You can easily verify your current setup via the command prompt:

Microsoft Windows [Version 10.0.22000.832]
(c) Microsoft Corporation. All rights reserved.

C:\Users\<user_name_here>\Desktop>BCDEDIT /V
C:\Users\<user_name_here>\Desktop>BCDEDIT /ENUM ACTIVE

On hybrid UEFI / BIOS setups, with most ACER firmware on pre-built computers, it's automatic. The only issue is that you need to make sure you have a UEFI bootloader, and it has the correct signature. Most of the time, you can refresh or merge the bootloader if it is corrupt, but by default it should ALREADY be signed. If not, then you might have to verify your current setup to see what type of disk you have, and then reinstall the bootloaders yourself:

NOTE: This is just an example of what manually installing a bootloader looks like. This is not what you would do in all possible situations either. Often the bootloader has no problem. For some it doesn't work, just because a person does not even have a signed UEFI bootloader installed to begin with:

Microsoft Windows [Version 10.0.22000.832]
(c) Microsoft Corporation. All rights reserved.

C:\Users\<user_name_here>\Desktop>diskpart

Microsoft DiskPart version 10.0.22000.653

Copyright (C) Microsoft Corporation.
On computer: <user_name_here>

DISKPART> list disk

  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online         xxxx GB      0 B        *

DISKPART> select disk 0

Disk 0 is now the selected disk.

DISKPART> list partition

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    System             260 MB  1024 KB
  Partition 2    Reserved            16 MB   261 MB
  Partition 3    Primary            xxx GB   277 MB

DISKPART> select partition 1

Partition 1 is now the selected partition.

DISKPART> assign letter=s

DiskPart successfully assigned the drive letter or mount point.

DISKPART> list volume

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1     S                FAT32  Partition    260 MB  Healthy    System
  Volume 2     C   Windows      NTFS   Partition    xxx GB  Healthy    Boot

DISKPART> exit

Leaving DiskPart...

C:\Users\<user_name_here>\Desktop>BCDBOOT C:\Windows /s S: /f UEFI

If you have an MBR disk with no EFI or MSR partitions, then of course you will have problems, as secure boot is mainly only supported with an EFI / UEFI bootloader. In most cases, it's smarter to utilize a GPT partition layout for compatibility-reasons, instead of MBR, even if the drive is smaller than 2GB. Some types of BIOS / UEFI won't recognize it unless it's GPT for UEFI. Typically the EFI partition is between 100MB to 260MB (256MB,) and the MSR partition is 16MB (On Windows 7 it was 500MB for MSR.) If your HDD uses Advanced Format (512e,) which you will have to manually check ahead of time, then you can't use a 100MB EFI partition, it has to be 260MB (256MB in actuality. In diskpart for a FAT32 EFI partition, which requires use of binary prefixes, the size is listed as 260MB.) If you dual or triple boot with Linux / Unix, then it requires a 260MB (256MB) EFI partition. If an entry is corrupt, it's MUCH smarter to merge a bootloader, regardless of the situation (especially with dual or triple boot setups,) than it would be to just clean off the entire EFI partition and start over. Regardless of what setup you have, you may have to also add a boot code using Bootsect for the System Drive (which often has a volume letter of C.) Here are some command line arguments / programs, which help you set up a bootloader, if you are migrating a Windows Image from one PC to another:

"If there is already a boot entry for this Windows partition, by default, BCDBoot erases the old boot entry and its values. Use the /m option to retain the values from an existing boot entry when you update the system files." -> https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/bcdboot-command-line-options-techref-di?view=windows-11#how-it-works

BCDEDIT /STORE /?
BCDEDIT /SET /?
BCDEDIT /? FORMATS

BCDBOOT C:\Windows /s S: /f UEFI
BCDBOOT C:\Windows /s S: /f BIOS
BCDBOOT C:\Windows /s S: /f ALL
BCDBOOT C:\Windows /m {insert_windows_boot_loader_identifier_here}

BCDEDIT /STORE S:\EFI\Microsoft\Boot\BCD /V

BCDEDIT /V

BCDEDIT /ENUM {current}
BCDEDIT /ENUM ACTIVE

BCDEDIT /DELETEVALUE {default} <INSERT_VALUE_HERE>

BCDEDIT /SET {bootmgr} device partition=S:
BCDEDIT /SET {default} device partition=C:
BCDEDIT /SET {default} osdevice partition=C:

BCDEDIT /SET {bootmgr} device partition=\Device\HarddiskVolume2
BCDEDIT /SET {default} device partition=\Device\HarddiskVolume1
BCDEDIT /SET {default} osdevice partition=\Device\HarddiskVolume1

BCDEDIT /STORE S:\EFI\Microsoft\Boot\BCD
BCDEDIT /STORE S:\EFI\Microsoft\Boot\BCD /SET {bootmgr} device partition=S:
BCDEDIT /STORE S:\EFI\Microsoft\Boot\BCD /SET {default} device partition=C:
BCDEDIT /STORE S:\EFI\Microsoft\Boot\BCD /SET {default} osdevice partition=C:

BCDEDIT /STORE S:\EFI\Microsoft\Boot\BCD
BCDEDIT /STORE S:\EFI\Microsoft\Boot\BCD /SET {bootmgr} device partition=\Device\HarddiskVolume2
BCDEDIT /STORE S:\EFI\Microsoft\Boot\BCD /SET {default} device partition=\Device\HarddiskVolume1
BCDEDIT /STORE S:\EFI\Microsoft\Boot\BCD /SET {default} osdevice partition=\Device\HarddiskVolume1

For information about additional types for particular applications,
run "bcdedit /? TYPES <apptype>", where <apptype> is one of the following:

BOOTAPP     Boot applications. These types also apply to the boot manager,
            memory diagnostic application, Windows OS loader, and the resume
            application.
BOOTMGR     Boot manager.
BOOTSECTOR  Boot sector application.
CUSTOMTYPES Custom types.
DEVOBJECT   Device object additional options.
FWBOOTMGR   Firmware boot manager
MEMDIAG     Memory diagnostic application
NTLDR       OS loader that shipped with earlier Windows OS
OSLOADER    Windows Vista OS loader
RESUME      Resume application

"Boot Settings" -> https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set#boot-settings

"BCDEdit Options Reference" -> https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcd-boot-options-reference
"Boot Parameters to Configure DEP and PAE" -> https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/boot-parameters-to-configure-dep-and-pae
"Bootsect Command-Line Options" -> https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/bootsect-command-line-options
"BCDBoot Command-Line Options" -> https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/bcdboot-command-line-options-techref-di?view=windows-11#command-line-options
"Boot to a virtual hard disk: Add a VHDX or VHD to the boot menu" -> https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/boot-to-vhd--native-boot--add-a-virtual-hard-disk-to-the-boot-menu