Can't enable secure boot

Question

Can't enable secure boot. It gives me an error "secure boot violation invalid signature detected". With secure boot disabled windows starts without any problems but when i'm trying to enable secure boot it gives me an error. is there any way to fix it or secure boot is dead for good?

Answer 1

Here is how i fixed it.

1. Go to C:\Windows\Boot\EFI and find the file named SecureBootRecovery.efi
2. Get a USB stick and format it to FAT32
3. on USB stick create folder EFI inside of EFI create folder BOOT folders must be in upper case!
4. put SecureBootRecovery.efi inside BOOT folder and rename it to bootx64.efi
5. Boot the computer from usb stick and wait. you will see message something like "Microsoft Secure Boot Recovery Version 1.0 ... System will reboot in 10 seconds"
6. after computer will restart automatically, let it boot in to windows
7. restart computer, go to bios and enable secure boot

And that fixed my problem. Secure boot is working and error is gone.

Answer 2

Hi Vladimir Uvarov,

Welcome to the Microsoft Q&A forum. Thank you for sharing the details.

The error message you're seeing usually means your system is working as designed, but Secure Boot cannot verify the current boot signature. This typically happens when the firmware (UEFI) does not have the correct Secure Boot keys or when the boot configuration does not fully match Secure Boot requirements.

Here are some possible checking steps that you can follow to reinstall the default Secure Boot keys:

1, Restart the device and enter BIOS / UEFI setup (press a key like F1, F2, F12, or Esc during boot)

2, Confirm:

• Boot Mode = UEFI
• CSM / Legacy Mode = Disabled

3, Go to Secure Boot settings

• Set Secure Boot Mode = Standard (not Custom)
• Select Install Default Secure Boot Keys / Load Factory Keys

4, Save changes and restart

If the issue persists, please verify that Windows is installed in UEFI mode

• Press Win + R, type msinfo32 then press Enter
• Check BIOS Mode > must show UEFI

If it shows Legacy, Secure Boot cannot be enabled without converting or reinstalling Windows.

Let me know if you need further assistance, feel free to ask me by clicking "Add Comment" or "Add Answer" if you cannot add comment so your response will be visible. Thanks for your effort.

---

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 3

The error "secure boot violation invalid signature detected" typically indicates that there are incompatible drivers or hardware that are preventing Secure Boot from being enabled. Here are some steps you can take to potentially resolve this issue:

1. Uninstall Incompatible Hardware: Remove any graphics cards or hardware that are not compatible with Secure Boot.
2. Check BIOS Settings: Access your PC's BIOS menu (usually by pressing a key like F1, F2, F12, or Esc during boot) and ensure that Secure Boot is set to Enabled. If there is an option for Custom, you may need to load the Secure Boot keys that are built into the PC.
3. Reset BIOS to Factory Settings: If you cannot enable Secure Boot, consider resetting the BIOS to its factory settings, which may help clear any conflicting settings.
4. Update Firmware: Ensure that your system firmware (BIOS) is up to date, as updates can resolve compatibility issues.
5. Contact Manufacturer Support: If the above steps do not work, it may be beneficial to contact your PC manufacturer for assistance, as they may have specific solutions for your hardware.

If you continue to experience issues, it may be necessary to keep Secure Boot disabled until a solution is found, as some systems may have inherent compatibility problems.

---

References:

• Disabling Secure Boot
• Secure Boot Security Feature Bypass Vulnerability - CVE-2016-3287
• Microsoft Security Bulletin MS16-100 - Important
• Microsoft Security Bulletin MS15-111 - Important
• How to test preproduction drivers with Secure Boot enabled