Secure Boot Violation

Question

It says invalid signature detected. If this error persists, seek technical assistance. It won't let me reboot anything.

Answer 1

Hi! You can try to force the device into the Windows Recovery Environment (WinRE) and run Startup Repair. Hold the power button until it shuts down; repeating this interruption 3 times should make Windows enter Automatic Repair/WinRE on the third startup. From there, go to Troubleshoot > Advanced options > Startup Repair and let Windows scan for and repair startup problems automatically. This can fix damaged startup files, corrupted boot configuration data, incompatible drivers, and similar boot issues. If BitLocker is enabled, the user may be prompted for the recovery key.

If WinRE does not appear on its own, the other path is to use a Windows installation USB or recovery drive created from another working PC, boot the affected computer from that media, and select Repair my PC to access the same recovery tools without going straight to reinstalling Windows.

https://support.microsoft.com/en-us/windows/create-installation-media-for-windows-99a58364-8c02-206f-aa6f-40c3b507420d

Answer 2

It won't turn off or reboot

Answer 3

Use the firmware (BIOS/UEFI) menus to clear the error and restore a valid Secure Boot configuration.

1. Turn the PC completely off.
2. Enter the UEFI/BIOS setup:
   • Power on and immediately press the manufacturer key repeatedly (often F1, F2, F10, F12, Esc, or Del),
   • Or from Windows (if you can still reach it): hold Shift while selecting Restart, then go to Troubleshoot > Advanced options > UEFI Firmware Settings.
3. In the firmware menus, locate Secure Boot (commonly under Security, Boot, or Authentication):
   • If Secure Boot is currently On and you get “Secure Boot Violation – Invalid signature detected” on every boot, first try disabling Secure Boot, save and reboot. If Windows then starts, the issue is with a boot component signature.
   • If you want Secure Boot enabled again, go back into UEFI and:
     • Ensure the Secure Boot keys/certificates are loaded or reset to factory defaults (often an option like Reset to factory keys or Install default Secure Boot keys).
     • Then set Secure Boot to Enabled and save.
4. If the PC still will not boot with Secure Boot enabled, leave Secure Boot disabled so the system can start, then seek device‑manufacturer support. Some devices require a firmware update or a specific recovery process when signatures or keys are out of sync.

If this error appeared after applying Secure Boot–related mitigations or changes and the device no longer boots at all, use this recovery pattern:

1. Turn off Secure Boot in UEFI.
2. If available, reset Secure Boot keys to factory defaults (use Reset, not Clear, if both exist).
3. Try to boot Windows. If it boots, repair the EFI boot files from an elevated command prompt using:

      mountvol s: /s
      del s:\*.*/f /s /q
      bcdboot %systemroot% /s S:
   

   Then re‑enable Secure Boot in UEFI.
4. If Windows still cannot start, reinstall Windows from recovery media, then re‑enable Secure Boot.

On Surface devices, a red bar with an unlocked lock icon means Secure Boot is off. Use the Surface UEFI (hold Volume Up while pressing Power) to:

1. Go to Security.
2. Under Secure Boot, choose Change configuration.
3. Select a certificate keyset such as Microsoft only.
4. Exit and restart to apply.

If none of these steps allow the device to boot with Secure Boot enabled, contact the PC or motherboard manufacturer for model‑specific Secure Boot recovery or firmware updates.

---

References:

• Secure boot
• Disabling Secure Boot
• How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932
• TPM lockout occurs unexpectedly in Windows 8.1 or Windows RT 8.1
• Surface turns on but shows a red bar and an unlocked lock icon
• Secure the Windows boot process
• Can't enable secure boot - Microsoft Q&A
• Secure boot state is still off tried alot of things - Microsoft Q&A