Secure Boot not enabled in new MiniPC - Win 11 setup without Secure Boot

(please ignore some URL's here copied pointing to mastodon tags accidentally)

Working on the project of setting up a new minipc device.
Story, here: ajaxStardust (@ajaxStardust@vivaldi.net)

Secureboot is/was not enabled when my new miniPC powered on the first time and setup Windows11 .
That device details are shown in this Speccy report

It didn't occur to me to check it until I experienced something I'd never seen before.
See here please:
Win11 > Security > Virus & Threat > Ransomware > Allow Picard - #3 by stanley.tweedle - MusicBrainz Picard - MetaBrainz Community Discourse

I tried enabling the secure boot (referenced this guide), but I get an error about the device not matching (e.g. not unlike you've got a Linux O/S w/ secure boot disabled to boot correctly, and forget to re-enable secure boot when you switch over to Windows).

As we know, Win 11 doesn't allow itself to be installed on a system without secure boot equipped. It only has to be equipped, not enabled. #BIOS
#Ransomware #protection #Security #windowsdefender
Seems like the manufacturer would ship it in such a way as to not deal with that issue.

What to do in this situation? Seems to me it would probably be a LOT easier to just start over. I'm upset about that, but I'm pretty sure I'd rather do that-- ANYTHING that I know will correct it with 100% (okay 99.9%) confidence that it's going to be the correct option. I really can't spend more time on this. I'm not interested in learning how to "fix" it, if I can just start over.

FTR: I haven't consulted their network yet (manufactured by Trycoo), as I'll most likely get some feedback here sooner.
But that's where I'm headed now.

Take a look at this Microsoft article:


Note that this article deals with a specific issue (BlackLotus UEFI Bootkit) but what we are after is a specific portion of that article. Scoll way down near the bottom to the section called "Recovery procedure". That section discusses some of the things to try to reset the keys for Secure Boot. As an example, on the desktop that I am in front of right now, after I disable Secure Boot, before I can re-enable it again, I first have to clear the keys and reset them to defaults.

BTW, you are lucky with your Mini PC. I have roughly 7 mini PCs. They are all Intel 11th gen or newer. Of those machines, 5 of them act like they support Secure Boot but there is no way to actually enable it in the BIOS. Only 2 of those systems actually allow me to enable Secure Boot.

Or simply bypass hardware compatibility check and install Windows 11 without Secure Boot, or even without TPM 2.0 or UEFI. See the relevant threads. The easiest way to do it is to download the ISO from Microsoft or elsewhere and then use Rufus to create the USB flash drive with Windows 11 setup. Once Rufus detects the ISO is Windows 11, you will be prompted if you want to bypass compatibility checks. You can safely select all options (CPU, RAM, UEFI, TMP, Secure Boot). With that USB you can install Windows 11 on any 64-bit system. Make sure to select GPT (UEFI) if you have a modern system with UEFI firmware, or MBR (CSM) if you have an older system with a BIOS.

@spapakons There may be confusion here? The system IS installed without secure boot. I'm not pleased about that-- if it's an added layer of security that I could otherwise have enabled. The system seems to function fine, but I am encountering little things here and there which I'm of course even subliminally attributing to the secure boot being disabled.

@hsehestedt sounds like you're picking up what i'm laying down! I'll ref that article right away. As for the #miniPC I'm 99.99% sure I've been able to set the secure boot option in the #Beelink #U59 I used previously as well. don't know I've ever seen one that didn't allow that mod. (more about my experience with beelink minipc here)

Should I resolve that I basically shouldn't worry about it?
E.g. Stuff like winget

I'm afraind I'm going to keep getting unexpected errors constantly. So, seeking the resolve of resetting the system, or the "keys" as @hsehestedt advises.

THank you!

EDIT:
I said i followed this guide. I'm confused now. Because I don't think I did follow that specific guide, but something else here to check if it's enabled (without going back out into the BIOS). I'm just getting back to this after a couple of days out of town. forgive me.

Entering the command,
returns:

That's got 'er.



However, from the tutorial about updating keys here, running the following command as admin powershell:


Is this a concern?
and how to fix?

ajaxStardust said:

However, from the tutorial about updating keys here, running the following command as admin powershell:

Code:

PS C:\Users\someguy> [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'
False
PS C:\Users\someguy>

Click to expand...

Follow the steps in the article below to Install the updated certificate definitions to the DB. That's the first part of the mitigation.

Thank you!

Currently here getting drivers for the Trycoo n100 WI-6
:)

Be careful with Secure Boot as it could affect how Windows load and get it unable to boot. You may need to reinstall Windows 11 if you enable it.

spapakons said:

Be careful with Secure Boot as it could affect how Windows load and get it unable to boot. You may need to reinstall Windows 11 if you enable it.

Click to expand...

Or just disable Secure Boot again. Somewhat simpler.

If he wants it enabled (I see no reason for that), he might have to reinstall Windows 11 if it doesn't boot with Secure Boot enabled, or at least Repair Startup from the Troubleshooting screen.

I have enabled and disabled secure boot in UEFI bios numerous times and had no problems booting windows whether SB is enabled or disabled.

Back in the day SB meant SoundBlaster. Today means Secure Boot. Technology progressed... :)