Sign in to follow this  
fnav77

Secure Boot violation after Windows upgrades

Recommended Posts

Hi folks,

 

Just to share what happened to me recently...

 

Last week, I innocently installed the last batch of routine Windows 7 updates... Never again! On re starting the computer, I had a secure boot violation message and Windows would not start again. The message was then taking me to the BIOS/UEFI page of my ASUS motherboard.

After some research online, I found out that a boot violation is a known problem. The motherboard basically stops the OS from starting if it does not recognise all the elements on the computer.

To get rid of it, and therefore allow Windows 7 to start, you need to disable Secure Boot in your motherboard BIOS/UEFI.

First hurdle, on my ASUS motherboard, there is no way to just disable secure boot. You either have to save the secure boot keys on a usb and then delete one part of them, or just delete/clear them altogether.

Anyway, I deleted all the keys and disabled secure boot. Windows 7 came back to life straight away.

What's following is even more disturbing....After more research on the topic, I found all sorts of stories on Windows 7 updates.... I will spare you the details! One of these updates would not uninstall and would always come back....

Anyway, I somehow cleared all the updates which I suspected caused the Secure Boot violation, then proceeded to install the boot keys again to re enable secure boot. To no avail. After more research, I found out that these updates had probably changed something in the boot manager and the keys were not valid anymore....also, Windows 7 was never supposed to be secure boot enabled, but the motherboard manufacturer somehow managed to make it compatible. Go figure out, this is way beyond me...!

By now, after reading all this, you are probably realising this stuff is not for the common computer user... this is fairly advanced stuff!

 

Anyway, I am giving up, I will not re-enable secure boot. I don't want to end up messing my PC and be unable to use FSX.

 

One big lesson.... never install Windows 7 updates! As they say, if it ain't broke, don't fix it!

Share this post


Link to post
Share on other sites
Help AVSIM continue to serve you!
Please donate today!

I see that he doesn't recommend installing updates at the moment, but I don't see a solution.

Share this post


Link to post
Share on other sites

One big lesson.... never install Windows 7 updates! As they say, if it ain't broke, don't fix it!

 

well... having unpatched security vulnerabilities is technically also 'broke'.

 

so is using UEFI secure boot with an OS like win7 that doesn't support it.

 

i'd keep your machine off the internet if you are genuinely concerned about security and don't want to keep it patched. although, you will probably be safe enough if you run script and adblocking and regular virus/malware scans.

 

cheers

-andy crosby

Share this post


Link to post
Share on other sites

This is what I don't understand, secure boot enabled with Windows 7..... if Windows 7 is not compatible, how could the motherboard be set that way? This is way beyond me.

I will keep the computer patched, probably, but I will be more cautious with the updates I install as some of them seem utterly useless, if not dodgy.

I am concerned about security, of course, and try to protect my computer, but some of these updates seem to bring more problems than benefits. I don't know what to do, anymore....bit of a catch 22 situation.

Share this post


Link to post
Share on other sites

This is what I don't understand, secure boot enabled with Windows 7..... if Windows 7 is not compatible, how could the motherboard be set that way? This is way beyond me.

I will keep the computer patched, probably, but I will be more cautious with the updates I install as some of them seem utterly useless, if not dodgy.

I am concerned about security, of course, and try to protect my computer, but some of these updates seem to bring more problems than benefits. I don't know what to do, anymore....bit of a catch 22 situation.

 

well, it was probably set that way as a default..it could be that the manufacturer assumed that nobody would be using anything older than win8 with it... in most cases it probably doesn't matter...but as you discovered, there is an exception to everything..

 

personally i think that type of feature (i think it is designed mainly to prevent certain types of rootkits from subverting the bootloader) is an interesting defense.. but most desktop users are much more likely to fall prey to much simpler email or browser-related attacks since that's a much softer target.. why bother trying to bypass a secure hardware defense when half the pcs out there still have unpatched flash vulnerabilities?..  that crypto-malware that hit a few hospitals in the news recently was from the old standby of somebody clicking a bogus email attachment with a macro'd office document...  in the end being vigilant is still the best defense..

 

you are right about the catch 22 hahaha.. look at it this way though, microsoft for the most part isn't actively trying to mess up or hijack your system, as much as it might seem like it..and yeah, i know that seems even more dubious lately with their aggressive desire to migrate everybody to win10.. in the end i would much rather have an occasional popup message about win10 than find out an undetected keylogger grabbed my paypal or bank password after sneaking in through a vulnerability that is already fixed..

 

cheers

-andy crosby

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this