PDA

View Full Version : Windows 10 Refuses to boot while enabling Secure Boot*



httuner
09-10-2016, 08:47 PM
My laptop worked fine last night, booted up no troubles.

This morning I go turn it on and all I see is the Asus Logo upon bootup. I waited and windows never booted up. Turned laptop off again and rebooted still the same problem.

I booted up again pressing F2 and got into BIOS, I looked around loaded default settings and rebooted; same problem.

Booted back into BIOS and I disable Secure Boot; and what do you know? It booted up just fine into Windows;

So my question is why did this happen all a sudden? It worked fine before with no hiccups now enabling secure boot does not boot to windows; only disabling it will boot.

Any ideas?

JustinThyme
09-10-2016, 11:38 PM
Ive not seen it just crap out by itself. Two things Ive know to cause this and it was just out of nowhere. Drivers updates to SSDs, windows updates, or corrupted/deleted UEFI partition.

httuner
09-11-2016, 12:07 AM
I can't seem to fix it, I tried to go back and maybe use a windows 10 installation USB stick to try to repair the bootup but now laptop won't even detect my USB drive which Windows 10 OS on it.

Only if I disable secure boot and disabling fast boot will it detect the USB stick. hmm its completely odd that this happened.

Clintlgm
09-13-2016, 03:54 AM
Secure boot requires 64 bit installation and UEFI installation. Sounds like some how your windows install got converted to MBR?

Gps3dx
09-13-2016, 01:08 PM
Secure boot requires 64 bit installation and UEFI installation. Sounds like some how your windows install got converted to MBR?
you're correct for the general case.
But for @httuner case... secure boot isn't required to boot windows 8/10 or prior, even if win was installed using UEFI method/boot or even if he managed to boot windows with secure boot few weeks ago.


I can't seem to fix it, I tried to go back and maybe use a windows 10 installation USB stick to try to repair the bootup but now laptop won't even detect my USB drive which Windows 10 OS on it.

Only if I disable secure boot and disabling fast boot will it detect the USB stick. hmm its completely odd that this happened.
That's the normal way ROG laptop's "BIOS" works ( in reality it's UEFI that contains the ability to "mimic LEGACY BIOS". ).
( what is your model ?)

My suggestion is whatever boot method you choose disable "secure boot".
( I suggest UEFI( i.e CSM OFF+GPT formatted drive and NOT Legacy BIOS ( CSM enabled+MBR formatted drive )
"secure boot" does offers few security enhancement.... but in real world... if you got a good A/V ( I suggest the free Comodo FOR A REASON (http://www.matousec.com/projects/proactive-security-challenge-64/results.php)) there isn't any need for using "secure boot"... I mean... who and what virus will hack&hijack your bootloader or inject a malicious code directly to your CPU prior to any OS boot ? what are the chances ? IMHO - ZERO.... you're not some 007 high-ranking officer with state secrets or CEO of coca-cola that got the recipe on his drivers ( and it's actually in a highly secured vault underground, written on paper ).
I never encountered any issue with working with disabled "secure boot", ever since my retired G55VW 5 years ago.

so... my suggests in short:

disable secure boot
toggle CSM option in BIOS according to your HDD/SSD state it's on: MBR = CSM enabled, GPT = CSM disabled.
* you can check the state of the HDD ( i.e how it was formatted ) by booting windows installation disk/usb, -> going into "repair this computer" -> opening CMD -> write "diskpart" then press enter-key-> wait for it to load, then write "list disk" -> see if your HDD/SSD got a "*" under the GPT column... if it exist your HDD/SSD is using the GPT layout.
boot windows installation disk as you should.
if you're on GPT, press ESC during POST ( i.e just after powering on the computer ), load the "boot selection screen" and choose "UEFI: xxxxxxx" where x is the name of the windows installation disk )
if you're on MBR, then boot it WITHOUT the "uefi:" prefix -> try to fix your bootloader ( i.e boot issues )
check my sticky thread about windows installation for guide how to fix your bootloader ( it's in the part where I guide how to copy/transfer windows from one HDD to another )
please report back your finding.

httuner
09-15-2016, 05:23 PM
Here's the strange part;

So I ended up doing a fresh windows 10 install with Secure boot off_ because I thought after I finish the install I could just re-enable secure boot and cross my fingers! Turns out I still couldn't boot with secure boot enabled.

I could not for the life of me boot anything UEFI- not even the UEFI bootable USB stick made with RUFUS and windows 10 iso on it; nor the windows 10 usb stick made with the windows 10 usb software.

I had to disable secure boot to boot anything; Funny thing is; I didn't have to enable CSM; Enabling and disabling it made no difference for me. Secure boot just wasn't able to boot nothing; I figure it had to do something with my Secure boot keys but I didn't want to mess with that because my BIOS wouldn't allow me to save the keys because I thought about deleting them to test something out.

I thought my BIOS was corrupted? lol so I reflashed a clean BIOS image; turns out that wasn't my problem either. Anyhow I went ahead and did a clean install of windows 10 with secure boot off;

I gave up on the situation and left it alone for a day or 2; On Tuesday the 13th I ended up getting the HIGH CPU usage due to ACPI.sys drivers; I tried my usual fixes, re-install ATK packaging, disabling drivers here and there and everything I could find on google; nothing worked for me; I got pissed off, I could deal with not being able to use secure boot but I couldn't deal with the high CPU usage while the laptop idle; I decided to go into BIOS and turn on Secure Boot one final time; Laptop refused to boot; Went back into BIOS and turned Secure boot back OFF; I started to mess with boot options; I went to Add new boot options and just played around; I found a directory that lead me to a file called BOOT64.efi_ I decided to add that as a boot option.

Pressed F10 and saved; Turned off laptop; turned back on with ESC pressed; Scrolled to my new Boot option and it booted into Windows 10; HIGH CPU Usage due to ACPI.sys is GONE! Woot! I was shocked that booting with Boot64.efi fixed my ACPI high cpu usage issue, anyways I was happy.

I decided to go into BIOS and enable Secure BOOT and tried to Boot with my new Boot option; BAM! What do you know!!! IT BOOTS! Woot Woot!

Anyways my first Boot option is Master Boot Record / Second Boot Option is the boot64.EFI setup that I setup messing around with add a boot option. Now it boots using the first option with Secure boot enabled, troubled free. It was just so strange.

Yes all my drives are formatted GPT.

Now my laptop boots fine with the MBR and Secure boot enabled. All my problems are fixed.

I don't know what to tell you guys; it was a strange bug that somehow corrected itself when I added the new Boot option? I may never know

Gps3dx
09-15-2016, 07:13 PM
Now my laptop boots fine with the MBR and Secure boot enabled. All my problems are fixed.

I don't know what to tell you guys; it was a strange bug that somehow corrected itself when I added the new Boot option? I may never know

latest ROG laptops comes with UEFI as the primary and only "basic out/input system"...
LEGACY BIOS, is only an EMULATION of the "old BIOS", i.e it's a sub-system/feature of the existed UEFI firmware in ROG laptops.
Although you're using CSM option in its enabled state ( i.e legacy bios emulation enabled ) you can still boot UEFI:xxxxxxx drives( it's actually the bootloader on these drivers ) which formated with the GPT layout.
that is why you can boot your "UEFI booted" windows.

now... the topic of "secure-boot" is really peculiar and my hope for the rest of us to understand it better from official Asus rep...
@cl-albert or any other official rep of Asus - can you please tell us consumers, for which features/activities does "Secure boot" ( in enabled state ) is required ?
is it just for "security" against malicious code inject to the CPU during post(or any other malicious job), and for Thunderbolt ( secure communication etc.. ?) ?
it is obvious that windows, even win10, can boot without it..... and I know also htat when enabled, it limits the use of 3rd party bootloaders like grub/burg/chameleon etc...

cl-Albert
09-16-2016, 10:50 PM
@Gps3dx, unfortunately, haven't delved more into the workings of secure boot and can't tell you much more about it, but heard it is just to 'protect' your boot-up into Windows as you kind of mentioned.

We may need to do more research or talk to more people to really try to understand it. Thanks.