Secure Boot suddenly stopped working with Windows 7

evilsofa

[H]F Junkie
Joined
Jan 1, 2007
Messages
10,078
I'm dual booting Windows 10 on one SSD and Windows 7 on the other SSD; motherboard is the ASUS Sabertooth Z170. Secure Boot suddenly stopped working for Windows 7 but not for Windows 10.

Today, on the Windows 7 install, a few updates came through on Windows Update: KB3138901, KB3139923, KB3137061, KB3133977, none of which seem to have anything particularly to do with Secure Boot. After installing them, I rebooted, and it booted up fine.

I then updated Steelseries Engine (for my Steelseries Rival mouse) from 3.6.6 to 3.6.7, then rebooted, and the red alert window came up talking about a Secure Boot violation, unauthorized changes, etc.

Booting up in Safe Mode was not possible, and the Secure Boot setting in the BIOS was greyed out and not changeable in a straightforward manner. I eventually learned how to disable Secure Boot on current motherboards by backing up then deleting the PK Secure Boot Key.

Now that I could boot into Windows 7 again, I uninstalled Steelseries Engine 3.6.7 and installed 3.6.6, then turned Secure Boot back on by restoring the PK key that I had backed up, but Secure Boot still didn't work. I then uninstalled the four KBs and Secure Boot still doesn't work.

I guess I just won't use Secure Boot again until I'm ready to re-install Win7 on that SSD, which I won't do until after the only reason I'm using it now (to run Skyrim, because DirectX9 has a 4GB limit for VRAM usage in Windows 8 and later).

I'm baffled as to what happened to make Secure Boot go nuts, though, and what I could possibly do to find out what Secure Boot has a problem with. As I read through various Google searches, I get the impression that the question is more like "why was Secure Boot working with Windows 7 at all?"

To be clear on one point: through all this, the Windows 10 install had no issues and worked fine with Secure Boot on.
 
I'm not sure of your reasoning regarding skyrim, 32-bit DX9 apps/games are limited to 4GBs of VRAM regardless of OS afaik. Also there is a memory mod, that will allow skyrim to use more than that with a modified DX9 .dll, might want to look for that. As far as SecureBoot itself, can't offer much but I would run a malware/rootkit scan just in case. Edit: I'm also pretty sure SecureBoot is Win 8+ only, but if it does work with Win 7 somehow, maybe you just need to re-install the key because maybe one of the updates changed the boot code or whatever it checks. Should be an option like 'install default key' or something in the bios. (I'm assuming Windows loads a new key into the bios when necessary, to be honest I'm not intimately familiar with SecureBoot so this could be completely wrong.)
 
Last edited:
I'm dual booting Windows 10 on one SSD and Windows 7 on the other SSD; motherboard is the ASUS Sabertooth Z170. Secure Boot suddenly stopped working for Windows 7 but not for Windows 10.

Today, on the Windows 7 install, a few updates came through on Windows Update: KB3138901, KB3139923, KB3137061, KB3133977, none of which seem to have anything particularly to do with Secure Boot. After installing them, I rebooted, and it booted up fine.
Almost the same happened to me yesterday with Asus Z97I-PLUS. After installing those four updates, the following reboot went fine. But after turning the PC off for the night, next morning I got the red " secure boot violation - unauthorized changes " warning.

I used a Windows 7 DVD to boot and then used system restore to revert installing those KBs. I also went into Asus BIOS settings and I was able to change the Secure boot OS type from "Windows UEFI Mode" to "Other OS", effectively disabling the secure boot, I guess...
After that the system has worked normally and I have also re-installed those four KBs.

I have currently a single-boot system with Windows 7, but I have also tested Windows 8 at one point, and the PC has two HDDs with Windows boot logic on them. So something rather similar as your dual-boot system.

My guess about the culprit is KB3133977, which is about Bitlocker encryption (whole-disk secure encryption that also uses the TPM chip on the device, if present). I guess that the patch installation went somehow wrong and some signature that is checked with the Asus BIOS secure boot did not match any more. Having a multi-disk dual-boot type of thing may confuse either the KB installation, or BIOS's reaction to changing the boot files.

(The other three updates seem harmless and unrelated.)
 
Same issue here on Asus Rampage V Extreme motherboard. Installed the 4 optional fixes yesterday and rebooted with no problem. On subsequent boot the "Secure Boot Violation" red box error appeared. Only way to get beyond it was to clear Secure Boot settings and disable capability. Successfully System Restored to pre-fix environment but still can't enable Secure Boot feature without error. Same issue happened on another one of my PCs a couple of years ago which took Microsoft weeks to diagnose and fix with a subsequent fix.
 
I guess you're stuffed if you have one of the latest boxed Dell and the like systems that provide no capability to disable secure boot then - Further securing the fate of the PC platform...

It's becoming easier to install alternate operating systems and the like on a Mac of all things.
 
Thanks guys, sounds like one of the four KBs is the culprit after all then, and whatever happens until the next reboot (like my updating Steelseries Engine) is just a red herring. Three people in this thread having the same exact behavior makes it sound like we'll be seeing this in the news sooner or later. A lot of people are not going to be able to figure out how to disable Secure Boot.

devil22 said:
I'm not sure of your reasoning regarding skyrim, 32-bit DX9 apps/games are limited to 4GBs of VRAM regardless of OS afaik.

Skyrim does have that limitation in Windows 8.x and 10 when using ENBoost, but in Windows 7 it does not. It is a DX9 bug which Microsoft is aware of and has posted about but there's no way they're going to patch DX9 now. I'd rather not get into it in this thread, which discusses a bug that Microsoft hopefully will fix.
 
Relevant thread on Microsoft Technet. Exact same symptoms, blamed on KB3133977 Bitlocker patch. An interesting comment was "How do you manage to get this error? Windows 7 does not work with Secure Boot. Never has as far as I know." which reflects my confusion when I was trying to research this issue. I keep finding comments to the effect that "Windows 7 doesn't support Secure Boot".
 
Hm, I just noticed that the three cases here and the one in the Technet thread all have ASUS motherboards - two Z97, one X99 and one Z170. Perhaps it's an ASUS BIOS bug triggered by one of the Windows updates, or maybe it's just a symptom of ASUS being really popular.
 
Thanks guys, sounds like one of the four KBs is the culprit after all then, and whatever happens until the next reboot (like my updating Steelseries Engine) is just a red herring. Three people in this thread having the same exact behavior makes it sound like we'll be seeing this in the news sooner or later. A lot of people are not going to be able to figure out how to disable Secure Boot.



Skyrim does have that limitation in Windows 8.x and 10 when using ENBoost, but in Windows 7 it does not. It is a DX9 bug which Microsoft is aware of and has posted about but there's no way they're going to patch DX9 now. I'd rather not get into it in this thread, which discusses a bug that Microsoft hopefully will fix.

That bug report is concerning an issue with x64 apps. Skyrim is 32-bit. I've looked into this before and like I said a 32-bit game using DX9 can't use more than 4GBs, and that 4GBs has to include both VRAM + Regular RAM usage, and Win 7 vs. Win 8 has nothing to do with it.
Are there *Video* memory limitations for 32-bit processes? - Ars Technica OpenForum
 
Just a wild ass guess here, but Bitlocker has to be loaded before the OS in order to decrypt the drive for the bootloader. If Asus' SecureBoot implementation is working for Windows 7, then it could be hashing the bootcode to make sure it doesn't change. Updating Bitlocker might be changing something in the bootcode, which would change the hash that Asus' SecureBoot might be computing.
 
Is it the windows 10 boot loader(bootmgr) complaining about unable to launch windows7? Would it be possible for you to post the screen image where you are seeing this violation?
 
Is it the windows 10 boot loader(bootmgr) complaining about unable to launch windows7? Would it be possible for you to post the screen image where you are seeing this violation?

I'm not using the Win10 boot loader at all. I use the BIOS to choose which SSD is the boot drive. For now, since I'm on a stint of playing Skyrim, I have it set to boot up the Win7 SSD by default, and if I need to run Win10 I'll F8 during bootup and choose the Win10 SSD using the BIOS boot menu. I tried using the Win10 bootloader, but with that I have to make a choice every time I boot up and that's an unnecessary delay when I'm mostly using one or the other, so I turned off the bootloader.
 
Probably that explains the issue. If Windows 10 bootloader is used, you may not see the issue since bootloader of Windows 10 is trusted by BIOS's Secureboot. Since Windows 7 does not support Secureboot, I am not sure ASUS BIOS is doing the right thing by blocking this bootmgr. Is it possible to validate what happens if you use windows 10 bootloader?
 
I re-installed windows 7 on my computer yesterday and i got the exakt same problem as you guys after installing all the windows updates, and after i reboot the computer i get a red sign up were it stand that boot secure violation. I got a ASUS Z97-A motherboard.
 
Secure Boot didnt "suddenly" stop working in obsolete Windows 7. Obsolete Windows 7 has never supported Secure Boot.

ASUS must have screwed something if Secure Boot became enabled. Turn it off in UEFI if you insist on running an outdated OS.
 
Never had problem with this before. First time ive ever had this problem. And it came after the four windows updates.
 
I suffered the same fate in exactly the same way as many of you good people. I run Windows 7 on a Gryphon Z87 which has been performing admirably for years until "Update for Windows 7 for x64-based Systems (KB3133977)" was installed and then ASUS Secure Boot refused to allow the OS to load. I strongly suspect this is another ploy by Microsoft to scaremonger users into upgrading to Windows 10 because it smells of a rat. Either that or the techie responsible for releasing these optional updates needs firing!

Thank you all for your help and advice on this issue. I joined this forum just to say thanks. <3
 
I suffered the same fate in exactly the same way as many of you good people. I run Windows 7 on a Gryphon Z87 which has been performing admirably for years until "Update for Windows 7 for x64-based Systems (KB3133977)" was installed and then ASUS Secure Boot refused to allow the OS to load. I strongly suspect this is another ploy by Microsoft to scaremonger users into upgrading to Windows 10 because it smells of a rat. Either that or the techie responsible for releasing these optional updates needs firing!

Thank you all for your help and advice on this issue. I joined this forum just to say thanks. <3

Windows 7 does not support Secureboot. ASUS BIOS seems to be blocking the windows 7 here as this update carries win7 bootmgr. I would advice to turn off Secureboot to bring your system to working state again as Windows 7 does not support with Secureboot.
 
Last edited:
I suffered the same fate in exactly the same way as many of you good people. I run Windows 7 on a Gryphon Z87 which has been performing admirably for years until "Update for Windows 7 for x64-based Systems (KB3133977)" was installed and then ASUS Secure Boot refused to allow the OS to load. I strongly suspect this is another ploy by Microsoft to scaremonger users into upgrading to Windows 10 because it smells of a rat. Either that or the techie responsible for releasing these optional updates needs firing!

Thank you all for your help and advice on this issue. I joined this forum just to say thanks. <3

This has nothing to do with MS trying to push W10 on everyone. It has to do with ASUS pushing a non-standard secure boot implementation.

The update you mention is a fix for a bitlocker bug. It modifies the following files (among others):
Bootmgfw.efi
Bootmgr.efi

Those two files contain the UEFI boot loader for Windows. Them being changed is what's tripping up ASUS' non-standard secure-boot implementation. If ASUS had followed the Secure Boot standard, you wouldn't have ever been able to boot Windows 7 with it enabled.
 
If ASUS had followed the Secure Boot standard, you wouldn't have ever been able to boot Windows 7 with it enabled.

Yeah but the default reaction is to "strongly suspect" Microsoft of some shady underhanded trick to "scare" people into installing Windows 10 rather than to actually learn how your PC and Operating System function.
 
Microsoft just switched KB3133977 from "Optional" to "Recommended", so there's going to be a lot more people experiencing this issue. ASUS has issued a FAQ with a solution that is simpler than the one I was using. And I got a mention in an InfoWorld article.

I guess I better post about this in the Motherboards forum. Edit: and sure enough, already there was someone in the Intel Mobos forum who had run into this problem.
 
Last edited:
Back
Top