Fixing Boot Error Loop Caused by Enabling Secure Boot

Question

I have enabled secure boot on my Legion Lenovo laptop running Windows 11 which leads to a boot error loop where the error message starts with "default boot device not found..." Clicking 'next' and selecting Windows Boot Manager as boot device leads me back to the error message.

Opening BIOS and disabling secure boot lets the laptop boot normally, but I want to enable secure boot.

I have also restored factory keys but this did not solve my issue.

For reference,

• BIOS is in UEFI

Secure Boot Mode is set to standard

Partition disks are in GPT

I have no other boot managers installed (only Windows Boot Manager)

Assistance would be greatly appreciated thanks!

Answer 1

Boot your system into BIOS, check to ensure Boot Mode is set to UEFI, not UEFI/Legacy and that CSM is disabled.

You indicate you have reset the keys in BOIS, did you reset the Secure Boot and TPM keys?

If you have performed all those steps, go to the support page for your system on the Lenovo website to check if there is any BIOS update available that may need to be installed.

It would be best to backup your files before making those changes.

Answer 2

The boot loop indicates Secure Boot is blocking the current Windows boot files or keys. Use the following sequence to repair the EFI boot files and then re‑enable Secure Boot.

1. Boot with Secure Boot disabled
   1. In BIOS, keep:
      • Boot mode: UEFI
      • Secure Boot: Disabled
   2. Save and exit, let Windows 11 boot normally.
2. Rebuild EFI boot files (from Windows)
   1. Sign in to Windows.
   2. Open an elevated Command Prompt (Run as administrator).
   3. Run these commands one by one:

            mountvol S: /S
            del S:\*.* /F /S /Q
            bcdboot %systemroot% /s S:
      

   4. Confirm that bcdboot reports Boot files successfully created.
   5. Restart Windows once more (still with Secure Boot disabled) to confirm it boots correctly from the rebuilt EFI files.
   These steps recreate the Windows Boot Manager and related EFI files in the system partition, which helps resolve issues where Secure Boot rejects existing boot files.
3. Ensure Secure Boot keys are at factory defaults
   1. Reboot and enter BIOS/UEFI setup.
   2. Locate Secure Boot settings.
   3. Use the option to Reset Secure Boot keys to factory defaults (or similar wording). If both Clear and Reset exist, use Reset (not Clear).
   4. Confirm and save.
4. Re‑enable Secure Boot
   1. Still in BIOS/UEFI, set:
      • Secure Boot: Enabled (or Standard mode)
   2. Save changes and exit.
   3. Let the system boot. With fresh EFI boot files and factory Secure Boot keys, Windows Boot Manager should now be accepted and the “default boot device not found” loop should be resolved.
5. If the system still fails to boot with Secure Boot enabled
   • Re‑enter BIOS and disable Secure Boot again so Windows can start.
   • At that point, either:
     • Repeat the EFI rebuild to ensure no errors occurred, or
     • As a last resort, perform a clean reinstall of Windows 11 in pure UEFI/GPT mode, then enable Secure Boot again after installation.
   • If problems persist even after reinstall, contact Lenovo support, as there may be a firmware‑specific Secure Boot issue on the Legion Slim 7.

Caution: Deleting files from the EFI system partition is safe when immediately followed by bcdboot as shown, but avoid modifying other partitions or files.

---

References:

• How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932
• Disabling Secure Boot
• Windows devices for home users, businesses, and schools with Microsoft-managed updates
• Windows 11 and Secure Boot
• Can't enable secure boot - Microsoft Q&A
• Secure boot state is still off tried alot of things - Microsoft Q&A
• why don't i have the 2023 secure boot keys - Microsoft Q&A