Bad shim signature on startup

Question

I used to have linux/windows dual boot setup, and it used to work perfectly fine. But yesterday after a BIOS update, I cannot boot into windows unless I have secure boot off. Every time after selecting windows boot manager on GNU Grub screen, it just shows bad shim signature. I have tried updating shim on linux, removing linux from my pc and switching to single boot setup and reinstalling windows. I need secure boot to work so that I can play some games that need it. I would appreciate any help on this.

Answer 1

The issue is caused by Secure Boot rejecting the current bootloader/shim after recent changes (BIOS update, previous dual‑boot). There are two relevant, proven fixes in similar scenarios:

1. Run Microsoft Secure Boot Recovery
   1. In Windows, go to C:\Windows\Boot\EFI and locate SecureBootRecovery.efi.
   2. Prepare a USB stick and format it as FAT32.
   3. On the USB stick, create the folder structure:
      • EFI
      • inside it, BOOT
      • both folder names must be UPPERCASE.
   4. Copy SecureBootRecovery.efi into EFI\BOOT on the USB.
   5. Rename SecureBootRecovery.efi on the USB to bootx64.efi.
   6. Boot the PC from this USB device.
   7. Wait for the message similar to: Microsoft Secure Boot Recovery Version 1.0 ... System will reboot in 10 seconds.
   8. Let the system reboot automatically and boot back into Windows.
   9. Restart again, enter BIOS/UEFI setup, and enable Secure Boot.
   After this recovery process, Secure Boot should accept the Windows bootloader again and the “bad shim signature” error should no longer appear.
2. Ensure Secure Boot keys are installed in firmware A BIOS/UEFI update can clear or change Secure Boot keys. On many boards there is an option such as “Install default Secure Boot keys”, “Restore factory keys”, or similar. In BIOS/UEFI setup:
   1. Go to the Secure Boot section.
   2. Look for an option to install or restore factory/default Secure Boot keys (often under “Key Management” or similar) and apply it.
   3. Ensure Secure Boot mode is set to the Windows/UEFI mode recommended by the motherboard vendor.
   4. Save changes and reboot.

If the problem started specifically after installing an August 2024 Windows security update and the system still has a Linux boot configuration, also ensure that the system is updated to the September 2024 (or later) cumulative update for the installed Windows version, because those updates remove SBAT settings that could block some Linux boot managers and interfere with dual‑boot scenarios.

If Secure Boot errors persist after running Secure Boot Recovery and restoring keys, contact the motherboard or PC manufacturer, as the BIOS update might have introduced a firmware‑level Secure Boot issue.

---

References:

• Disabling Secure Boot
• August 13, 2024—KB5041585 (OS Builds 22621.4037 and 22631.4037)
• August 13, 2024—KB5041592 (OS Build 22000.3147)
• August 13, 2024—KB5041580 (OS Builds 19044.4780 and 19045.4780)
• August 13, 2024—KB5041160 (OS Build 20348.2655)
• August 13, 2024—KB5041578 (OS Build 17763.6189)
• August 13, 2024—KB5041773 (OS Build 14393.7259)
• August 27, 2024—KB5041587 (OS Builds 22621.4112 and 22631.4112) Preview
• Can't enable secure boot - Microsoft Q&A
• Secure boot state is still off tried alot of things - Microsoft Q&A