Update:
I'm leaving the original post in case there are some insights.
I had previously read that Windows 11 only requires Secure Boot-capable, but based on my experience, I was thinking there might be a setting that made Secure Boot required.
Some responses on another post made me consider that perhaps something OEM-related was causing the behavior I've experienced, where this laptop previously would only boot if Secure Boot was enabled.
So I guess the question is, is anyone aware of a setting that makes Secure Boot required?
Original:
I have an installation of Windows 11 24H2 that does not care whether Secure Boot is enabled or disabled.
My preference is for Windows 11 24H2 to only boot if Secure Boot is enabled.
This system was previously configured as an OEM install and originally required Secure Boot be enabled in order to successfully boot.
The original NVMe failed in April 2025.
I did a clean install of Windows 11 24H2, but noticed afterward that the system was booting with Secure Boot disabled.
I tried a few steps including Factory Reseting the keys in UEFI/BIOS. That allowed it to go back into User Mode so I can now Enable Secure Boot, but Windows 11 24H2 will still boot if Secure Boot is disabled.
As some background:
I occasionally disable Secure Boot to boot to a Kali Linux Live USB. Before the OEM NVMe died, Windows 11 would not boot if I forgot to set Secure Boot back to enabled.
Also, I had previously completed the steps for KB50225885 / CVE-2023-24932 as detailed here: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support
These steps added the “Windows UEFI CA 2023” certificate to the UEFI “Secure Boot Signature Database” and revoked the “Windows Production CA 2011” certificate, causing all boot managers signed by this certificate to no longer be trusted.
I completed these steps in Sept. 2024, and the system worked for 7 months without issue.
I completed all steps from KB50225885 again recently after I did the reinstall and noticed Secure Boot was not being enforced.
I do not think these steps impacted the situation other than seeing that Windows Production CA 2011 was back from revocation after doing the reinstall.
Any suggestions or references for enforcing secure boot are appreciated.
I'm leaving the original post in case there are some insights.
I had previously read that Windows 11 only requires Secure Boot-capable, but based on my experience, I was thinking there might be a setting that made Secure Boot required.
Some responses on another post made me consider that perhaps something OEM-related was causing the behavior I've experienced, where this laptop previously would only boot if Secure Boot was enabled.
So I guess the question is, is anyone aware of a setting that makes Secure Boot required?
Original:
I have an installation of Windows 11 24H2 that does not care whether Secure Boot is enabled or disabled.
My preference is for Windows 11 24H2 to only boot if Secure Boot is enabled.
This system was previously configured as an OEM install and originally required Secure Boot be enabled in order to successfully boot.
The original NVMe failed in April 2025.
I did a clean install of Windows 11 24H2, but noticed afterward that the system was booting with Secure Boot disabled.
I tried a few steps including Factory Reseting the keys in UEFI/BIOS. That allowed it to go back into User Mode so I can now Enable Secure Boot, but Windows 11 24H2 will still boot if Secure Boot is disabled.
As some background:
I occasionally disable Secure Boot to boot to a Kali Linux Live USB. Before the OEM NVMe died, Windows 11 would not boot if I forgot to set Secure Boot back to enabled.
Also, I had previously completed the steps for KB50225885 / CVE-2023-24932 as detailed here: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support
These steps added the “Windows UEFI CA 2023” certificate to the UEFI “Secure Boot Signature Database” and revoked the “Windows Production CA 2011” certificate, causing all boot managers signed by this certificate to no longer be trusted.
I completed these steps in Sept. 2024, and the system worked for 7 months without issue.
I completed all steps from KB50225885 again recently after I did the reinstall and noticed Secure Boot was not being enforced.
I do not think these steps impacted the situation other than seeing that Windows Production CA 2011 was back from revocation after doing the reinstall.
Any suggestions or references for enforcing secure boot are appreciated.
Last edited:
My Computers
System One System Two
-
- OS
- Windows 11 Pro
- Computer type
- PC/Desktop
- Manufacturer/Model
- Custom self build
- CPU
- AMD Ryzen 9 7950X3D
- Motherboard
- NZXT N7 B650E (AM5)
- Memory
- G.Skill Trident Z5 NEO RGB 64GB (2 x 32GB) DDR5 6000 CL30-40-40-96 (F5-6000J3040G32GX2-TZ5NR)
- Graphics Card(s)
- AMD Radeon RX 6950 XT (reference)
- Sound Card
- Integrated Digital Audio (S/PDIF)
- Monitor(s) Displays
- 2 x LG 29UM69G-B 29" Ultrawide Gaming Monitor
- Screen Resolution
- 2560x1080
- Hard Drives
- 2TB Samsung 990 PRO M.2
- PSU
- NZXT C1000W Gold
- Case
- NZXT H9 Elite
- Cooling
- NZXT Kraken Z73 RGB
- Keyboard
- Logitech MX Mechanical
- Mouse
- Logitech MX Master 3S
- Internet Speed
- 1 Gbps synchronous
- Browser
- Firefox (w/ Total Cookie Protection and Multi-Account Containers)
- Other Info
- Logitech BRIO 4K Pro webcam
-
- Operating System
- Windows 11 Pro
- Computer type
- Laptop
- Manufacturer/Model
- Lenovo ThinkPad X1 Extreme Gen 5
- CPU
- Intel Core i7-12700H
- Motherboard
- 21DECTO1WW
- Memory
- 32GB DDR5 4800
- Graphics card(s)
- NVIDIA® GeForce RTX™ 3050 Ti 4GB GDDR6
- Hard Drives
- 256GB Micron MTFDKBA256TFK SSD M.2
