Secure Boot suddenly stopped working with Windows 7

Discussion in 'Operating Systems' started by evilsofa, Mar 21, 2016.

  1. evilsofa

    evilsofa [H]ardForum Junkie

    Messages:
    10,078
    Joined:
    Jan 1, 2007
    I'm dual booting Windows 10 on one SSD and Windows 7 on the other SSD; motherboard is the ASUS Sabertooth Z170. Secure Boot suddenly stopped working for Windows 7 but not for Windows 10.

    Today, on the Windows 7 install, a few updates came through on Windows Update: KB3138901, KB3139923, KB3137061, KB3133977, none of which seem to have anything particularly to do with Secure Boot. After installing them, I rebooted, and it booted up fine.

    I then updated Steelseries Engine (for my Steelseries Rival mouse) from 3.6.6 to 3.6.7, then rebooted, and the red alert window came up talking about a Secure Boot violation, unauthorized changes, etc.

    Booting up in Safe Mode was not possible, and the Secure Boot setting in the BIOS was greyed out and not changeable in a straightforward manner. I eventually learned how to disable Secure Boot on current motherboards by backing up then deleting the PK Secure Boot Key.

    Now that I could boot into Windows 7 again, I uninstalled Steelseries Engine 3.6.7 and installed 3.6.6, then turned Secure Boot back on by restoring the PK key that I had backed up, but Secure Boot still didn't work. I then uninstalled the four KBs and Secure Boot still doesn't work.

    I guess I just won't use Secure Boot again until I'm ready to re-install Win7 on that SSD, which I won't do until after the only reason I'm using it now (to run Skyrim, because DirectX9 has a 4GB limit for VRAM usage in Windows 8 and later).

    I'm baffled as to what happened to make Secure Boot go nuts, though, and what I could possibly do to find out what Secure Boot has a problem with. As I read through various Google searches, I get the impression that the question is more like "why was Secure Boot working with Windows 7 at all?"

    To be clear on one point: through all this, the Windows 10 install had no issues and worked fine with Secure Boot on.
     
    HN_FIN likes this.
  2. devil22

    devil22 2[H]4U

    Messages:
    3,834
    Joined:
    Jan 1, 2003
    I'm not sure of your reasoning regarding skyrim, 32-bit DX9 apps/games are limited to 4GBs of VRAM regardless of OS afaik. Also there is a memory mod, that will allow skyrim to use more than that with a modified DX9 .dll, might want to look for that. As far as SecureBoot itself, can't offer much but I would run a malware/rootkit scan just in case. Edit: I'm also pretty sure SecureBoot is Win 8+ only, but if it does work with Win 7 somehow, maybe you just need to re-install the key because maybe one of the updates changed the boot code or whatever it checks. Should be an option like 'install default key' or something in the bios. (I'm assuming Windows loads a new key into the bios when necessary, to be honest I'm not intimately familiar with SecureBoot so this could be completely wrong.)
     
    Last edited: Mar 21, 2016
  3. HN_FIN

    HN_FIN n00b

    Messages:
    1
    Joined:
    Mar 21, 2016
    Almost the same happened to me yesterday with Asus Z97I-PLUS. After installing those four updates, the following reboot went fine. But after turning the PC off for the night, next morning I got the red " secure boot violation - unauthorized changes " warning.

    I used a Windows 7 DVD to boot and then used system restore to revert installing those KBs. I also went into Asus BIOS settings and I was able to change the Secure boot OS type from "Windows UEFI Mode" to "Other OS", effectively disabling the secure boot, I guess...
    After that the system has worked normally and I have also re-installed those four KBs.

    I have currently a single-boot system with Windows 7, but I have also tested Windows 8 at one point, and the PC has two HDDs with Windows boot logic on them. So something rather similar as your dual-boot system.

    My guess about the culprit is KB3133977, which is about Bitlocker encryption (whole-disk secure encryption that also uses the TPM chip on the device, if present). I guess that the patch installation went somehow wrong and some signature that is checked with the Asus BIOS secure boot did not match any more. Having a multi-disk dual-boot type of thing may confuse either the KB installation, or BIOS's reaction to changing the boot files.

    (The other three updates seem harmless and unrelated.)
     
  4. jonescrusher

    jonescrusher n00b

    Messages:
    6
    Joined:
    Nov 9, 2011
    Same issue here on Asus Rampage V Extreme motherboard. Installed the 4 optional fixes yesterday and rebooted with no problem. On subsequent boot the "Secure Boot Violation" red box error appeared. Only way to get beyond it was to clear Secure Boot settings and disable capability. Successfully System Restored to pre-fix environment but still can't enable Secure Boot feature without error. Same issue happened on another one of my PCs a couple of years ago which took Microsoft weeks to diagnose and fix with a subsequent fix.
     
  5. BulletDust

    BulletDust [H]ardness Supreme

    Messages:
    6,057
    Joined:
    Feb 17, 2016
    I guess you're stuffed if you have one of the latest boxed Dell and the like systems that provide no capability to disable secure boot then - Further securing the fate of the PC platform...

    It's becoming easier to install alternate operating systems and the like on a Mac of all things.
     
  6. evilsofa

    evilsofa [H]ardForum Junkie

    Messages:
    10,078
    Joined:
    Jan 1, 2007
    Thanks guys, sounds like one of the four KBs is the culprit after all then, and whatever happens until the next reboot (like my updating Steelseries Engine) is just a red herring. Three people in this thread having the same exact behavior makes it sound like we'll be seeing this in the news sooner or later. A lot of people are not going to be able to figure out how to disable Secure Boot.

    Skyrim does have that limitation in Windows 8.x and 10 when using ENBoost, but in Windows 7 it does not. It is a DX9 bug which Microsoft is aware of and has posted about but there's no way they're going to patch DX9 now. I'd rather not get into it in this thread, which discusses a bug that Microsoft hopefully will fix.
     
  7. evilsofa

    evilsofa [H]ardForum Junkie

    Messages:
    10,078
    Joined:
    Jan 1, 2007
    Relevant thread on Microsoft Technet. Exact same symptoms, blamed on KB3133977 Bitlocker patch. An interesting comment was "How do you manage to get this error? Windows 7 does not work with Secure Boot. Never has as far as I know." which reflects my confusion when I was trying to research this issue. I keep finding comments to the effect that "Windows 7 doesn't support Secure Boot".
     
  8. evilsofa

    evilsofa [H]ardForum Junkie

    Messages:
    10,078
    Joined:
    Jan 1, 2007
    Hm, I just noticed that the three cases here and the one in the Technet thread all have ASUS motherboards - two Z97, one X99 and one Z170. Perhaps it's an ASUS BIOS bug triggered by one of the Windows updates, or maybe it's just a symptom of ASUS being really popular.
     
  9. devil22

    devil22 2[H]4U

    Messages:
    3,834
    Joined:
    Jan 1, 2003
    That bug report is concerning an issue with x64 apps. Skyrim is 32-bit. I've looked into this before and like I said a 32-bit game using DX9 can't use more than 4GBs, and that 4GBs has to include both VRAM + Regular RAM usage, and Win 7 vs. Win 8 has nothing to do with it.
    Are there *Video* memory limitations for 32-bit processes? - Ars Technica OpenForum
     
  10. ryan_975

    ryan_975 [H]ardForum Junkie

    Messages:
    14,073
    Joined:
    Feb 6, 2006
    Just a wild ass guess here, but Bitlocker has to be loaded before the OS in order to decrypt the drive for the bootloader. If Asus' SecureBoot implementation is working for Windows 7, then it could be hashing the bootcode to make sure it doesn't change. Updating Bitlocker might be changing something in the bootcode, which would change the hash that Asus' SecureBoot might be computing.
     
  11. Prabhakara HV

    Prabhakara HV n00b

    Messages:
    3
    Joined:
    Mar 22, 2016
    Is it the windows 10 boot loader(bootmgr) complaining about unable to launch windows7? Would it be possible for you to post the screen image where you are seeing this violation?
     
  12. evilsofa

    evilsofa [H]ardForum Junkie

    Messages:
    10,078
    Joined:
    Jan 1, 2007
    I'm not using the Win10 boot loader at all. I use the BIOS to choose which SSD is the boot drive. For now, since I'm on a stint of playing Skyrim, I have it set to boot up the Win7 SSD by default, and if I need to run Win10 I'll F8 during bootup and choose the Win10 SSD using the BIOS boot menu. I tried using the Win10 bootloader, but with that I have to make a choice every time I boot up and that's an unnecessary delay when I'm mostly using one or the other, so I turned off the bootloader.
     
  13. Prabhakara HV

    Prabhakara HV n00b

    Messages:
    3
    Joined:
    Mar 22, 2016
    Probably that explains the issue. If Windows 10 bootloader is used, you may not see the issue since bootloader of Windows 10 is trusted by BIOS's Secureboot. Since Windows 7 does not support Secureboot, I am not sure ASUS BIOS is doing the right thing by blocking this bootmgr. Is it possible to validate what happens if you use windows 10 bootloader?
     
  14. DANNEEE

    DANNEEE Guest

    Messages:
    3
    Joined:
    Mar 24, 2016
    I re-installed windows 7 on my computer yesterday and i got the exakt same problem as you guys after installing all the windows updates, and after i reboot the computer i get a red sign up were it stand that boot secure violation. I got a ASUS Z97-A motherboard.
     
  15. Osirus

    Osirus Limp Gawd

    Messages:
    220
    Joined:
    Sep 4, 2015
    Secure Boot didnt "suddenly" stop working in obsolete Windows 7. Obsolete Windows 7 has never supported Secure Boot.

    ASUS must have screwed something if Secure Boot became enabled. Turn it off in UEFI if you insist on running an outdated OS.
     
  16. DANNEEE

    DANNEEE Guest

    Messages:
    3
    Joined:
    Mar 24, 2016
    Never had problem with this before. First time ive ever had this problem. And it came after the four windows updates.
     
  17. Praqoon

    Praqoon n00b

    Messages:
    1
    Joined:
    Mar 24, 2016
    I suffered the same fate in exactly the same way as many of you good people. I run Windows 7 on a Gryphon Z87 which has been performing admirably for years until "Update for Windows 7 for x64-based Systems (KB3133977)" was installed and then ASUS Secure Boot refused to allow the OS to load. I strongly suspect this is another ploy by Microsoft to scaremonger users into upgrading to Windows 10 because it smells of a rat. Either that or the techie responsible for releasing these optional updates needs firing!

    Thank you all for your help and advice on this issue. I joined this forum just to say thanks. <3
     
    B00nie likes this.
  18. DANNEEE

    DANNEEE Guest

    Messages:
    3
    Joined:
    Mar 24, 2016
    I really hope they fix this issue!
     
  19. Prabhakara HV

    Prabhakara HV n00b

    Messages:
    3
    Joined:
    Mar 22, 2016
    Windows 7 does not support Secureboot. ASUS BIOS seems to be blocking the windows 7 here as this update carries win7 bootmgr. I would advice to turn off Secureboot to bring your system to working state again as Windows 7 does not support with Secureboot.
     
    Last edited: Mar 24, 2016
    Armenius likes this.
  20. ryan_975

    ryan_975 [H]ardForum Junkie

    Messages:
    14,073
    Joined:
    Feb 6, 2006
    This has nothing to do with MS trying to push W10 on everyone. It has to do with ASUS pushing a non-standard secure boot implementation.

    The update you mention is a fix for a bitlocker bug. It modifies the following files (among others):
    Bootmgfw.efi
    Bootmgr.efi

    Those two files contain the UEFI boot loader for Windows. Them being changed is what's tripping up ASUS' non-standard secure-boot implementation. If ASUS had followed the Secure Boot standard, you wouldn't have ever been able to boot Windows 7 with it enabled.
     
    pxc and Armenius like this.
  21. Osirus

    Osirus Limp Gawd

    Messages:
    220
    Joined:
    Sep 4, 2015
    Yeah but the default reaction is to "strongly suspect" Microsoft of some shady underhanded trick to "scare" people into installing Windows 10 rather than to actually learn how your PC and Operating System function.
     
  22. agg83

    agg83 n00b

    Messages:
    1
    Joined:
    Mar 25, 2016
    Hey.
    I solved a problem as follows:
    updated BIOS
    I turned off Secure Boot
     
  23. evilsofa

    evilsofa [H]ardForum Junkie

    Messages:
    10,078
    Joined:
    Jan 1, 2007
    Microsoft just switched KB3133977 from "Optional" to "Recommended", so there's going to be a lot more people experiencing this issue. ASUS has issued a FAQ with a solution that is simpler than the one I was using. And I got a mention in an InfoWorld article.

    I guess I better post about this in the Motherboards forum. Edit: and sure enough, already there was someone in the Intel Mobos forum who had run into this problem.
     
    Last edited: May 7, 2016