Secure Boot not enabled in new MiniPC - Win 11 setup without Secure Boot

ajaxStardust · May 5, 2024

(please ignore some URL's here copied pointing to mastodon tags accidentally)

Working on the project of setting up a new minipc device.
Story, here: ajaxStardust (@ajaxStardust@vivaldi.net)

Secureboot is/was not enabled when my new miniPC powered on the first time and setup Windows11 .
That device details are shown in this Speccy report

It didn't occur to me to check it until I experienced something I'd never seen before.
See here please:
Win11 > Security > Virus & Threat > Ransomware > Allow Picard - #3 by stanley.tweedle - MusicBrainz Picard - MetaBrainz Community Discourse

I tried enabling the secure boot (referenced this guide), but I get an error about the device not matching (e.g. not unlike you've got a Linux O/S w/ secure boot disabled to boot correctly, and forget to re-enable secure boot when you switch over to Windows).

As we know, Win 11 doesn't allow itself to be installed on a system without secure boot equipped. It only has to be equipped, not enabled. #BIOS
#Ransomware #protection #Security #windowsdefender
Seems like the manufacturer would ship it in such a way as to not deal with that issue.

What to do in this situation? Seems to me it would probably be a LOT easier to just start over. I'm upset about that, but I'm pretty sure I'd rather do that-- ANYTHING that I know will correct it with 100% (okay 99.9%) confidence that it's going to be the correct option. I really can't spend more time on this. I'm not interested in learning how to "fix" it, if I can just start over.

FTR: I haven't consulted their network yet (manufactured by Trycoo), as I'll most likely get some feedback here sooner.
But that's where I'm headed now.

hsehestedt · May 6, 2024

Take a look at this Microsoft article:

How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support

support.microsoft.com

Note that this article deals with a specific issue (BlackLotus UEFI Bootkit) but what we are after is a specific portion of that article. Scoll way down near the bottom to the section called "Recovery procedure". That section discusses some of the things to try to reset the keys for Secure Boot. As an example, on the desktop that I am in front of right now, after I disable Secure Boot, before I can re-enable it again, I first have to clear the keys and reset them to defaults.

BTW, you are lucky with your Mini PC. I have roughly 7 mini PCs. They are all Intel 11th gen or newer. Of those machines, 5 of them act like they support Secure Boot but there is no way to actually enable it in the BIOS. Only 2 of those systems actually allow me to enable Secure Boot.

spapakons · May 8, 2024

Or simply bypass hardware compatibility check and install Windows 11 without Secure Boot, or even without TPM 2.0 or UEFI. See the relevant threads. The easiest way to do it is to download the ISO from Microsoft or elsewhere and then use Rufus to create the USB flash drive with Windows 11 setup. Once Rufus detects the ISO is Windows 11, you will be prompted if you want to bypass compatibility checks. You can safely select all options (CPU, RAM, UEFI, TMP, Secure Boot). With that USB you can install Windows 11 on any 64-bit system. Make sure to select GPT (UEFI) if you have a modern system with UEFI firmware, or MBR (CSM) if you have an older system with a BIOS.

ajaxStardust · May 8, 2024

@spapakons There may be confusion here? The system IS installed without secure boot. I'm not pleased about that-- if it's an added layer of security that I could otherwise have enabled. The system seems to function fine, but I am encountering little things here and there which I'm of course even subliminally attributing to the secure boot being disabled.

@hsehestedt sounds like you're picking up what i'm laying down! I'll ref that article right away. As for the #miniPC I'm 99.99% sure I've been able to set the secure boot option in the #Beelink #U59 I used previously as well. don't know I've ever seen one that didn't allow that mod. (more about my experience with beelink minipc here)

Should I resolve that I basically shouldn't worry about it?
E.g. Stuff like winget

Code:

winget update
Failed when opening source(s); try the 'source reset' command if the problem persists.

I'm afraind I'm going to keep getting unexpected errors constantly. So, seeking the resolve of resetting the system, or the "keys" as @hsehestedt advises.

THank you!

EDIT:
I said i followed this guide. I'm confused now. Because I don't think I did follow that specific guide, but something else here to check if it's enabled (without going back out into the BIOS). I'm just getting back to this after a couple of days out of town. forgive me.

ajaxStardust · May 8, 2024

Entering the command,

Code:

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'

returns:

Code:

Get-SecureBootUEFI : Variable is currently undefined: 0xC0000100
At line:1 char:42
+ ... System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) ...
+                                             ~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (Microsoft.Secur...BootUefiCommand:GetSecureBootUefiCommand) [Get-Secure
   BootUEFI], StatusException
    + FullyQualifiedErrorId : GetFWVarFailed,Microsoft.SecureBoot.Commands.GetSecureBootUefiCommand

ajaxStardust · May 8, 2024

That's got 'er.

However, from the tutorial about updating keys here, running the following command as admin powershell:

Code:

PS C:\Users\someguy> [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'
False
PS C:\Users\someguy>

Is this a concern?
and how to fix?

hsehestedt · May 8, 2024

ajaxStardust said:
However, from the tutorial about updating keys here, running the following command as admin powershell:

Code:

PS C:\Users\someguy> [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023' False PS C:\Users\someguy>

Follow the steps in the article below to Install the updated certificate definitions to the DB. That's the first part of the mitigation.

How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support

support.microsoft.com

ajaxStardust · May 8, 2024

Thank you!

Currently here getting drivers for the Trycoo n100 WI-6
:)

spapakons · May 8, 2024

Be careful with Secure Boot as it could affect how Windows load and get it unable to boot. You may need to reinstall Windows 11 if you enable it.

Anibor_11 · May 8, 2024

spapakons said:
Be careful with Secure Boot as it could affect how Windows load and get it unable to boot. You may need to reinstall Windows 11 if you enable it.

Or just disable Secure Boot again. Somewhat simpler.

spapakons · May 9, 2024

If he wants it enabled (I see no reason for that), he might have to reinstall Windows 11 if it doesn't boot with Secure Boot enabled, or at least Repair Startup from the Troubleshooting screen.

glasskuter · May 9, 2024

I have enabled and disabled secure boot in UEFI bios numerous times and had no problems booting windows whether SB is enabled or disabled.

spapakons · May 9, 2024

Back in the day SB meant SoundBlaster. Today means Secure Boot. Technology progressed... :)

Nathanelp · Aug 14, 2024

When you encounter issues with Secure Boot on a new MiniPC, especially in the context of setting up Windows 11. Since you're considering starting over, here are your options for a clean install that can ensure everything is properly set up.

If you have any important files on the MiniPC, back them up to an external drive or cloud storage. A clean install will erase all data on the drive.
Restart your MiniPC and enter the BIOS/UEFI settings. This is usually done by pressing a key like F2, Delete, or Esc immediately after powering on. Looking for the Boot Options or Security section in the BIOS menu.

jimbo45 · Aug 14, 2024

Nathanelp said:
When you encounter issues with Secure Boot on a new MiniPC, especially in the context of setting up Windows 11. Since you're considering starting over, here are your options for a clean install that can ensure everything is properly set up.

If you have any important files on the MiniPC, back them up to an external drive or cloud storage. A clean install will erase all data on the drive.
Restart your MiniPC and enter the BIOS/UEFI settings. This is usually done by pressing a key like F2, Delete, or Esc immediately after powering on. Looking for the Boot Options or Security section in the BIOS menu.

I disabled secure boot on an NIPOGI Mini PC -- zero problem installing W11.

Secure boot is a dog if you want to boot other OS'es such as Linux etc -- in any case since most of the current set of mini pc's originate from China I'm sure they've hobbled their versions of W11 that these things come pre-installed in -- I wiped and installed my own copy of W11.

Laptops etc with keys enabled --you will need to go into the computers firmware BIOS to clear those and maybe also clear the TPM - but installing and booting Windows 11 without secure boot doesn't currently seem to be a problem.

Cheers
jimbo

spapakons · Aug 14, 2024

My 3rd Generation Intel i7 (see 2nd system specs) supports UEFI mode and Secure Boot, but since the CPU is unsupported anyway, I did a Legacy BIOS (MBR) installation, without TPM, without UEFI, without Secure Boot. Zero issues so far.

hsehestedt · Aug 14, 2024

A lot of mini PCs are now shipping with no ability to turn on secure boot in the BIOS. They report to Windows as being capable of secure boot, but you cannot turn it on. Since Windows 11 only cares that the machine is capable of secure boot but it does not need to be turned on, Windows will install just fine.

Only reason that I can think of for this behavior is that secure boot requires a certificate and maybe they just don't want to pay for the cert.

spapakons · Aug 14, 2024

Probably so. I also have read posts that had issues dual booting with Linux if Secure Boot is enabled. On the other hand, if you want to dual boot with Mac OS (Hackintosh), most guides say to disable Legacy boot (CSM), set UEFI only boot and enable Secure Boot before you begin installation of Mac OS.

PS: For those systems that support Secure Boot but cannot be enabled in BIOS, isn't there any way to enable it from Windows? It should be, otherwise it doesn't make sense.

hsehestedt · Aug 14, 2024

spapakons said:
For those systems that support Secure Boot but cannot be enabled in BIOS, isn't there any way to enable it from Windows?

Nope. Cannot be enabled from Windows.

ajaxStardust · Aug 18, 2024

jimbo45 said:
they've hobbled their versions of W11 that these things come pre-installed in

that's a variable i hadn't considered in my processes.

i prob used an iso to USB flash drive from the horse's mouth (Microsoft)

memories: gone, into the ether.

Secure Boot not enabled in new MiniPC - Win 11 setup without Secure Boot

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

aka Mama Glass

My Computers

Well-known member

My Computers

New member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computer

Similar threads