SOLVED

b26063 - Bug Bash - Windows Security > Device Security - Cannot enable VBS anymore - FIXED

MVP

I have updated my UEFI and redeployed Secure Boot settings.

now on all windows versions (multiboot) I cannot enable VBS and Core Isolation anymore. I could enable it without errors but it becomes disabled after reboot.

Potentially related error message: 
PCR7: Binding not possible

Problems:
cannot enable security features / will be disable after reboot or "blocked as if GPO controlled"
cannot start Hyper-V VMs anymore due missing VBS

Affected Builds:
Windows 11 23H2 02-2024 
Windows 11 24H2 02-2024 Dev
Windows Server 2022 02-2024
Windows Server 2025 (Azure Edition) b26063.

Could this be related to this action? Have not executed it yet.
https://techcommunity.microsoft.com/t5/windows-it-pro-blog/updating-microsoft-secure-boot-keys/ba-p/...


Unlike to Windows Server, on Windows 11 all other security settings are disabled now, too (stated they are controlled by the admin)

Reinstallation of the OS didn't help. Anyone else seeing this?

Karl_WesterEbbinghaus_0-1709471340018.png

 

Karl_WesterEbbinghaus_1-1709471381577.png

Karl_WesterEbbinghaus_2-1709471429517.png

 

 

2 Replies
best response confirmed by Karl-WE (MVP)
Solution

Ok fixed it. There is a new (BETA) BIOS, released some days ago, which addresses the issue. It is not mentioned in the release notes though.

I have the strong feeling it is related to the UEFI secure boot changes described in the linked article.

Believe we could need an urgent advisory. A blogpost isn't enought if this is true.
If the February changes (not yet fully proven) are able to disable security with unpatched UEFI devices, this would be something very noteable.

Mind that admins / users don't regularly do BIOS / UEFI updates on Servers or Clients.

 

Solution in a summary

 

Hello Lien how are you doing?

No it has been solved for 22H2.

 

- update my UEFI from a 2023 to a 2024 beta version from Asrock

- redeploying Secure Boot keys and make sure it's enabled

- enabling Core Isolation on the Hyper-V Host (HCVI) which also enables VBS

- enable vTPM on the Azure Stack HCI nested virtualization VM (mslab)

Cannot reproduce this in my sphere as all managed devices around me already received UEFI updates in Feb.

For now, I can only interpret this as a local issue.
1 best response

Accepted Solutions
best response confirmed by Karl-WE (MVP)
Solution

Ok fixed it. There is a new (BETA) BIOS, released some days ago, which addresses the issue. It is not mentioned in the release notes though.

I have the strong feeling it is related to the UEFI secure boot changes described in the linked article.

Believe we could need an urgent advisory. A blogpost isn't enought if this is true.
If the February changes (not yet fully proven) are able to disable security with unpatched UEFI devices, this would be something very noteable.

Mind that admins / users don't regularly do BIOS / UEFI updates on Servers or Clients.

 

Solution in a summary

 

Hello Lien how are you doing?

No it has been solved for 22H2.

 

- update my UEFI from a 2023 to a 2024 beta version from Asrock

- redeploying Secure Boot keys and make sure it's enabled

- enabling Core Isolation on the Hyper-V Host (HCVI) which also enables VBS

- enable vTPM on the Azure Stack HCI nested virtualization VM (mslab)

View solution in original post