Secure Boot Violation booting the OS Image

P

Phearin

New Member
Messages
24
Reaction score
2
Dear team,

We tried to boot the Image OS from USB drive, then we received this message pop up. Could you please assist what would be root cause of this issue?

Note:

Due to security compliance, Secure Boot is required to enable at the beginning.


photo_2025-05-19_10-10-21.jpg

Thanks,
Phearin
 
MS released a new UEFI boot loader on July 2024, to replace the previous boot loader (which is known to be insecure from attacks by the Black Lotus rootkit).

There are now two classes of the boot loader for W10 & 11 releases:
1. Legacy UEFI versions, signed by the Microsoft Windows Production PCA 2011 secure certificate.
2. Newer UEFI versions, signed by Microsoft Windows UEFI CA 2023.

When your PC has applied none, some, or all of the Black Lotus UEFI mitigation steps, the UEFI's DB and DBX databases may not trust the ISO’s boot loader because PCA 2011 was revoked (not trusted), or because UEFI CA 2023 wasn't added (not trusted).


If you get this BIOS error, check if the Updates toolbar setting for Update boot manager has been enabled. NTLite can allow you to choose between the two different versions, depending on whether your BIOS has been updated or not.

1747635156078.png

This PS script when run on a live system, will report whether the boot files on a mounted USB drive match what the BIOS will allow you to boot. It compares the UEFI's DB & DBX lists against the EFI file's signing cert.
 

Attachments

garlin Thank you for your information. Yet, I tried to launch the the Image in NTLITE again, and check the Update Toolbar as you mentioned, and I got screen exactly same as provided. But I couldn't find the way how NITLITE allow to choose/select.

2025-05-19 14_24_27-NTLite.png
 
The option to update boot managers is enabled only if a cumulative update is in the queue for integration.
If the image is already updated, you can add latest update again, just make sure no components were removed, best is to start from an original Microsoft non-edited ISO each time.
Make sure when updating the USB stick to not just copy the install.wim, but the whole content, as boot.wim and some setup/ISO files are also updated.

Btw this whole thing around Secure Boot is very complex, let me know how it goes after updating the boot managers.
Here is the official info from Microsoft, even how to remove that lock from the machine under the recover section.

In general, not specific to NTLite, some people disable Secure Boot in the bios, install, then re-enable it.
 
nuhi said:
In general, not specific to NTLite, some people disable Secure Boot in the bios, install, then re-enable it.
Click to expand...
Unless you work in an environment that enforces a strict policy requirement for Secure Boot at all times.

The problem is unless you know whether the Black Lotus UEFI mitigations have been applied, you're not easily going to know which boot loader to select. You have to check the target PC's current DB & DBX lists to understand which version(s) are allowed.

Each PC might have different settings. The script reads the UEFI details without having you need to enter BIOS mode.
 
Phearin said:
Dear team,

We tried to boot the Image OS from USB drive, then we received this message pop up. Could you please assist what would be root cause of this issue?

Note:

Due to security compliance, Secure Boot is required to enable at the beginning.


View attachment 14352

Thanks,
Phearin
Click to expand...
Perform the following steps:
SOURCE
  1. Activate secure boot
  2. Open and execute the following commands in PowerShell (Windows Terminal) the following 2 commands below, pressing enter after each one.
    • Command 1: Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot” -Name “AvailableUpdates” -Value 0x40
    • Command 2: Start-ScheduledTask -TaskName “\Microsoft\Windows\PI\Secure-Boot-Update”
  3. Restart the machine 2 times in a row, waiting 1 minute for each restart as a precaution
  4. Run the following command in PowerShell: [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023' this command should return "True"
That's it, just test it

Before following the steps, check with the Garlin script if your BIOS already has the new Microsoft certificate installed.
If you already have the Secure Bot activated, it will work.
If not, you will have to follow the steps above.
And if you still have the new certificate and have followed the steps above, try updating your BIOS on the website of your motherboard manufacturer and the chipset, as a precaution end repeat the steps above.

If it still doesn't work, I can't help you anymore.

I hope I helped
 
There's no requirement to update the UEFI right now, but MS is hinting it will begin enforcing it later this year. Organizations are supposed to start planning how they want to roll out the changes.

The first migration step is to add the new Windows UEFI CA 2023 certificate to the UEFI DB. This allows both the legacy and new boot files to be used, since each will be trusted by separate signing certs. If you follow the above steps, then it doesn't matter (for now) which version is included on your ISO.
 
garlin said:
There's no requirement to update the UEFI right now, but MS is hinting it will begin enforcing it later this year. Organizations are supposed to start planning how they want to roll out the changes.

The first migration step is to add the new Windows UEFI CA 2023 certificate to the UEFI DB. This allows both the legacy and new boot files to be used, since each will be trusted by separate signing certs. If you follow the above steps, then it doesn't matter (for now) which version is included on your ISO.
Click to expand...
What do you mean my version?

I always use the latest version of the ISO with the most recent updates.

And as for not needing it, it is necessary, it is a security issue, it is to correct a vulnerability and my ISO only starts after I have done these procedures.
 
nuhi said:
The option to update boot managers is enabled only if a cumulative update is in the queue for integration.
If the image is already updated, you can add latest update again, just make sure no components were removed, best is to start from an original Microsoft non-edited ISO each time.
Make sure when updating the USB stick to not just copy the install.wim, but the whole content, as boot.wim and some setup/ISO files are also updated.

Btw this whole thing around Secure Boot is very complex, let me know how it goes after updating the boot managers.
Here is the official info from Microsoft, even how to remove that lock from the machine under the recover section.

In general, not specific to NTLite, some people disable Secure Boot in the bios, install, then re-enable it.
Click to expand...
Many thanks for this info.

I tried all of this, for both the install.wim and boot.wim to update the "boot manager" with the toggle mentioned above in this blog.
I made an ISO-Image of this whole content and made a bootable usb-stick with rufus.
I have a system (Acer TravelMate) on which the new Certificate "Windows UEFI CA 2023" is allready inside the uefi-firmware.
Now, if i want to reinstall this device with this freshly created USB-Stick it is able to boot, and copies all files for the first Install-Step of windows to the disc, but as soon it restarts (tries to start from the OS on the disc to continue the install) I get a security error message saying the secure boot version check failed: Current Version 3.0, minimum allowed version 5.0.
It seems to me that the install-process still installs an old or wrong certificate for bootloader on the disc.


Are there any known issues with that, or what am I doing wrong in this matter.
 
I've never bothered with it, like many others, and I've never had any problems installing Windows
I couldn't help

Afterwards, Secure Boot is disabled in my Windows, from memory
 
You must log in or register to reply here.
Back
Top