Cannot boot laptop unless Secure Boot is disabled

Question

I have been trying to allow device encryption for my Lenovo device. In order to do that, I needed to have TPM and modern standby support. I have finally gotten both on my Laptop, which is the Lenovo Legion S7-15ACH6 Laptop - Type 82K8. The issue is that I now cannot boot into my laptop unless SecureBoot is disabled. Before I had changed anything in the settings, SecureBoot was enabled and everything was working fine. After I reset the factory keys in my laptop, the boot select menu would show up. When I select Windows Boot Manager, the selection screen briefly disappears before reappearing, with nothing happening. The only menu I am able to go to from there is the BIOS menu. Does anyone know how to fix this issue?

Answer 1

Before making any changes in BIOS, please ensure you have a safe backup of your files, and if you log into Windows with a PIN, be sure you know your password, in case the PIN does not work after making the changes in BIOS.

In BIOS have you already reset TPM keys and Secure Boot keys to factory and that still does not allow you to boot into Windows with Secure Boot enabled?

If so, the best option would be to go to the support page for your device on the Lenovo website to check for any BIOS update that may be available and not yet installed.

Answer 2

The behavior indicates that Secure Boot can no longer validate the Windows boot files after the firmware key reset. The goal is to restore valid boot files and then re‑enable Secure Boot.

Follow these steps in order:

1. Turn off Secure Boot so the device can start
   • Enter the UEFI/BIOS menu on the Lenovo (for example by pressing Esc, F1, F2, F10, F11, or F12 during power‑on, depending on the device).
   • Go to the Security or Boot section.
   • Set Secure Boot to Disabled.
   • Save and exit, then let the device boot into Windows.
2. Rebuild the EFI boot files from Windows
   • Sign in to Windows.
   • Open an elevated Command Prompt (Run as administrator).
   • Run these commands one by one:

          mountvol S: /s
          del S:\*.* /f /s /q
          bcdboot %systemroot% /s S:
     

   • Confirm that BCDBoot reports: Boot files successfully created.
   • Restart the device and confirm it still boots (with Secure Boot still disabled at this point).
3. Reset Secure Boot keys to factory defaults
   • Re‑enter the UEFI/BIOS menu.
   • Locate the Secure Boot section.
   • Use the option to reset Secure Boot keys to factory defaults (on some devices this is labeled “Reset to factory keys” or similar). If there are both “Clear” and “Reset” options, use “Reset”.
   • Save and exit.
4. Re‑enable Secure Boot
   • Go back into the UEFI/BIOS menu.
   • In the Secure Boot section, set Secure Boot to Enabled.
   • Save changes and exit.
   • Allow the device to boot normally from “Windows Boot Manager”.

If the device fails to boot again after enabling Secure Boot, repeat the steps to disable Secure Boot so the system is usable, then contact Lenovo support for assistance with restoring the correct factory keys for this specific Legion model.

Note: While Secure Boot is disabled, the device is more vulnerable to boot‑level malware. Re‑enable Secure Boot as soon as the boot issue is resolved.

---

References:

• How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932
• Disabling Secure Boot
• Boot to UEFI Mode or legacy BIOS mode
• Windows 11 and Secure Boot