Enable Secure Boot

[vik_joy]

Hi All,

I'm trying to prepare for Windows 11 and for that I am trying to activate Secure Boot from BIOS.

I already have TPM 2.0 activated from Bios and my BIOS is in UEFI mode

 

 

I've also checked that my GPU supports UEFI

 

 

Now from my BIOS, I've tried to activate Secure Boot

1. I turned CSM Support off

2. Then I went to 'Secure Boot' option and set up a Platform Key (default from board)

 

After doing this I was told by the system to ensure that my GPU supports UEFI and then I ENabled 'Secure Boot'.

 

After this when I saved the changes and exited, my system went in to a sort of boot loop. This X470 Ultra Gaming board has 4 diagnostic LEDs and the boot, rather POST sequence normally does this, gpu->cpu->ram->boot and complete, I see the windows logo. But after enabling secure boot, it was going like this gpu->cpu->ram->gpu->...loop and teh screen was blank.

I had to remove the battery to clear cmos and restore the system back.

 

So now I would like your help on this, like is any settings I need to configure in BIOS, before i attempt to turn on secure boot again.

 

My system summary:

Motherboard: Gigabyte x470 Ultra Gaming (rev 1), BIOS version F6

Processor: Ryzen 5 2600

RAM: 16GB Corsair (8*2) @ 3Ghz

GPU: MSI Geforce GTX 1060 6GB (OC V2)

 

Thanks,

Souvik

[LogicalDrm]

-> Moved to Windows

[m9x3mos]

7 hours ago, vik_joy said:

Hi All,

I'm trying to prepare for Windows 11 and for that I am trying to activate Secure Boot from BIOS.

I already have TPM 2.0 activated from Bios and my BIOS is in UEFI mode

 

 

I've also checked that my GPU supports UEFI

 

 

Now from my BIOS, I've tried to activate Secure Boot

1. I turned CSM Support off

2. Then I went to 'Secure Boot' option and set up a Platform Key (default from board)

 

After doing this I was told by the system to ensure that my GPU supports UEFI and then I ENabled 'Secure Boot'.

 

After this when I saved the changes and exited, my system went in to a sort of boot loop. This X470 Ultra Gaming board has 4 diagnostic LEDs and the boot, rather POST sequence normally does this, gpu->cpu->ram->boot and complete, I see the windows logo. But after enabling secure boot, it was going like this gpu->cpu->ram->gpu->...loop and teh screen was blank.

I had to remove the battery to clear cmos and restore the system back.

 

So now I would like your help on this, like is any settings I need to configure in BIOS, before i attempt to turn on secure boot again.

 

My system summary:

Motherboard: Gigabyte x470 Ultra Gaming (rev 1), BIOS version F6

Processor: Ryzen 5 2600

RAM: 16GB Corsair (8*2) @ 3Ghz

GPU: MSI Geforce GTX 1060 6GB (OC V2)

 

Thanks,

Souvik

Is your hard drive installed with mbr or gpt?

[vik_joy]

4 hours ago, m9x3mos said:

Is your hard drive installed with mbr or gpt?

My boot drive is in gpt. But I have two other storage hard drives, they are in mbr

[Folktale]

I think after enabling Secure boot, you need to install a fresh copy of Windows. That's why it is probably going to GPU in POST because it cannot find the Boot drive to boot from? Anyway, Windows 11 seems more of a hassle now. And now I am afraid of enabling secure boot on my Gigabyte board with age old F5 BIOS version.

[vik_joy]

2 hours ago, Folktale said:

I think after enabling Secure boot, you need to install a fresh copy of Windows. That's why it is probably going to GPU in POST because it cannot find the Boot drive to boot from? Anyway, Windows 11 seems more of a hassle now. And now I am afraid of enabling secure boot on my Gigabyte board with age old F5 BIOS version.

Could be...I thought it would be straight forward, just some BIOS config changes. 

But yeah, Windows 11 is becoming a hassle.

[Folktale]

5 hours ago, vik_joy said:

Could be...I thought it would be straight forward, just some BIOS config changes. 

But yeah, Windows 11 is becoming a hassle.

Before that, you can also try enabling CSM in auto mode is possible? Also kindly share the results whether what worked or not.

[vik_joy]

11 hours ago, Folktale said:

Before that, you can also try enabling CSM in auto mode is possible? Also kindly share the results whether what worked or not.

No, in my bios, I have only two options for csm support, disable or enable.

Only by disabling the csm support makes the secure boot option visible.

[GoodBytes]

13 hours ago, vik_joy said:

No, in my bios, I have only two options for csm support, disable or enable.

Only by disabling the csm support makes the secure boot option visible.

So, then what is problem?

You didn't list any legacy hardware or peripherals, why would CSM be enabled?

 

Unless you have a VERY specific need, such as using some old hardware that doesn't support UEFIs at all, CSM (Compatiability Support Module) should always be disabled

 

[vik_joy]

9 hours ago, GoodBytes said:

So, then what is problem?

You didn't list any legacy hardware or peripherals, why would CSM be enabled?

 

Unless you have a VERY specific need, such as using some old hardware that doesn't support UEFIs at all, CSM (Compatiability Support Module) should always be disabled

 

Actually I never looked in to that BIOS option before searching for secure boot option due to this Windows 11 requirements. I think by factory default it was enabled. I can definitely have it disabled and it causes no issue.

But my original problem is with when I enabled the Secure Boot (although, I did this once), my system wen in to that boot loop.

That is what I'm trying to fix or know the reason of. It seems my hardware does support secure boot, but then why it did that loop, is puzzling me.

Could it be because I already have Windows 10 installed, but I've converted the boot drive from mbr to gpt before I attempted secure boot.

Only thing I see now is, I have two more storage hard drives, and those are in mbr. Could they cause this?

[vik_joy]

After reading this article I think @Folktale you probably were correct on assuming that a new OS installation is needed after enabling secure boot and making it work.

Article Link: https://itconnect.uw.edu/wares/mws/mgmt/setup-computer/secure-boot/

 

But why would someone would go through all the trouble of setting up everything again after installing fresh OS, rather than just being able to upgrade to the newer one. Seems a bit of short sighting from Microsoft on this one.

Would like to hear your opinion guys and if anyone was able to successfully enable secure boot without installing OS again, would like hear about that as well.

 

Thanks

[Folktale]

12 hours ago, vik_joy said:

After reading this article I think @Folktale you probably were correct on assuming that a new OS installation is needed after enabling secure boot and making it work.

Article Link: https://itconnect.uw.edu/wares/mws/mgmt/setup-computer/secure-boot/

 

But why would someone would go through all the trouble of setting up everything again after installing fresh OS, rather than just being able to upgrade to the newer one. Seems a bit of short sighting from Microsoft on this one.

Would like to hear your opinion guys and if anyone was able to successfully enable secure boot without installing OS again, would like hear about that as well.

 

Thanks

From what I am seeing for the past few days, it's that people have successfully enable secure boot on other boards, or that anyone who has enabled secure boot on gigabyte board has either bricked their motherboard or gone into some other problem. If Gigabyte has poor implemented BIOS firmware, then that means that we need to wait either for microsoft to let win 11 install on with just the secure boot feature present and not just enabled (highly unlikely) or just update to the working BIOS update that doesn't brick secure boot.

 

In case, the firmware is fine on gigabyte board, then I think we are either skipping some steps or not following them properly. Also make sure the boot priority is correct. You can also try to remove the other non-GPT drive to see if they are causing the issue? Anyway, if your motherboard is in warranty, then you can simply experiment, the least it will cost you is some time and a thermal paste if you really want windows 11. If your board is out of warranty then just ignore windows11 for now. It's sad but better than bricking a motherboard.

[vik_joy]

21 hours ago, Folktale said:

From what I am seeing for the past few days, it's that people have successfully enable secure boot on other boards, or that anyone who has enabled secure boot on gigabyte board has either bricked their motherboard or gone into some other problem. If Gigabyte has poor implemented BIOS firmware, then that means that we need to wait either for microsoft to let win 11 install on with just the secure boot feature present and not just enabled (highly unlikely) or just update to the working BIOS update that doesn't brick secure boot.

 

In case, the firmware is fine on gigabyte board, then I think we are either skipping some steps or not following them properly. Also make sure the boot priority is correct. You can also try to remove the other non-GPT drive to see if they are causing the issue? Anyway, if your motherboard is in warranty, then you can simply experiment, the least it will cost you is some time and a thermal paste if you really want windows 11. If your board is out of warranty then just ignore windows11 for now. It's sad but better than bricking a motherboard.

I got mine enabled finally

You were right on missing steps. Its all tied to sequence of turning on stuff in Gigabyte BIOS at-least. I turned on ftpm before secure boot and after watching this video I reset all those to disabled and then followed the steps depicted in the video and voila!...its all set up and I'm ready for Win 11

Video link: 

I'm accepting this as my answer. Thanks a ton guys for sharing your thoughts and feedback, its been a great help

[SLOTHINSPACE]

I also tried firstly enabling TPM for my intel system with a gigabyte board and getting the boot loop situation il try using the steps in the video and hopefully it works for me. I’m using UEFI and gmt for my ssd boot drive. Quick question was all your drives gmt or just the boot drive because I want to make sure I’m doing this right. 
And lastly is your cpu under windows 11 cpus. Because I don’t know if I should even enable it if my cpu isn’t supported yet [hopefully]

[vik_joy]

13 minutes ago, SLOTHINSPACE said:

I also tried firstly enabling TPM for my intel system with a gigabyte board and getting the boot loop situation il try using the steps in the video and hopefully it works for me. I’m using UEFI and gmt for my ssd boot drive. Quick question was all your drives gmt or just the boot drive because I want to make sure I’m doing this right. 
And lastly is your cpu under windows 11 cpus. Because I don’t know if I should even enable it if my cpu isn’t supported yet [hopefully]

I think you meant gpt.

Yes, only my boot drive is in gpt, my other two storage drives are in mbr and those don't matter. Everything is related to boot drive only.

About my cpu, i don't know if there is such restriction over cpu for windows 11. Only thing may be the cpu should support tpm and from your post I think it does, as you already have tpm enabled. But i don't think there should not any problem with cpu for win 11.

You need to ensure one thing, if you are using an external gpu, then that gpu should support uefi. See the screenshot from gpu-z from my original post and you will know what to look for.

Share your experience and good luck

[SLOTHINSPACE]

3 minutes ago, vik_joy said:

I think you meant gpt.

Yes, only my boot drive is in gpt, my other two storage drives are in mbr and those don't matter. Everything is related to boot drive only.

About my cpu, i don't know if there is such restriction over cpu for windows 11. Only thing may be the cpu should support tpm and from your post I think it does, as you already have tpm enabled. But i don't think there should not any problem with cpu for win 11.

You need to ensure one thing, if you are using an external gpu, then that gpu should support uefi. See the screenshot from gpu-z from my original post and you will know what to look for.

Share your experience and good luck

Yes my gpu does support it. What I’m saying is right now windows is only supporting 8th gen and above for cpus myself I have 7th gen they are looking into adding it maybe who knows . Il give it a try doing what you did, from what I have read I am in the same situation as you expect intel instead of amd. And currently I do not have tpm enabled when doing so it boot loops I think doing the steps from the video might fix it I’m thinking secure boot needs to enabled first for it to work ? 

[vik_joy]

48 minutes ago, SLOTHINSPACE said:

Yes my gpu does support it. What I’m saying is right now windows is only supporting 8th gen and above for cpus myself I have 7th gen they are looking into adding it maybe who knows . Il give it a try doing what you did, from what I have read I am in the same situation as you expect intel instead of amd. And currently I do not have tpm enabled when doing so it boot loops I think doing the steps from the video might fix it I’m thinking secure boot needs to enabled first for it to work ? 

Yes, its the sequence of settings matters the most I believe. Try the video. Hopefully things will work our for you.

[jez2590]

I can confirm that this works!

 

I did have to:

• Change my boot drive to gpt 
• Update my Legacy settings to UEFI - <linked removed by mod>
• Then used the instructions in the video in the chain above