Secure boot Software Reset

Similar Messages

• Windows 8 Installation Disc Won't Load UEFI-only (T420s). Also does T420S support Secure Boot?

  Question 1:
  I am unable to load the Windows 8 Installation DVD in UEFI (only) mode on my T420s. As a result, I can only run the installer in Legacy mode (or both UEFI/Legacy which effectively means the same thing). This in turn means Windows 8 is installed in Legacy BIOS mode.  Any idea how to install it in UEFI mode?
  I am using a DVD burned using the Windows utility from the Windows 8 64-bit ISO and have followed the instructions in HT073269, however I am unable to get to step 1 of the Windows 8 install after updating the BIOS, resetting to defaults, and switching to UEFI-only. On boot, after switching to UEFI-only, I am presented with a bootloader and prompted to select which drive to boot (DVDRAM or SSD). Selecting either makes the screen go blank for a moment and then returns back to the same screen with no result.
  Since then I have searched these forums extensively and Googled Technet, Notebook Review, and other sites to no avail. I've tried several several ideas, including using diskpart > clean to get the SSD in raw status (per HT051844). That did not make a difference. I also tried converting a Legacy-BIOS install of Windows 8 to UEFI using CharlyAR's instructions on TechNet (linked from another thread here). That seemed to get me to a Windows Boot Loader but still errored out and Windows Repair was unable to fix it.
  Any suggestions?
  Also, question 2:  Does anyone know if the T420S support secure boot? If not, any idea if it's slated for a future firmware update?

  nuncio wrote:
  pleon wrote:
  I use Win8 on my T420s in UEFI mode. [...] I do not understand, what do you mean that secure boot does not work? In BIOS there is no special switch for that, but "UEFI only" works without any problems.
  Secure Boot is a certificate-based approach to preventing rootkits, not the same thing as UEFI. Although Secure Boot requires UEFI, having UEFI does not mean having the additional Secure Boot feature. If Secure Boot is available, typically there will be an option to enable it in the firmware configuration. Since the latest firmware for the T420S (ver. 1.35) does not have such an option, I suspect ThorsHammer is correct that Secure Boot is not (yet) supported on the T420S. I'm keeping my fingers crossed that Lenovo will tell us that a firmware update is on its way though.
  My understanding is that it will never support secure boot.  The secure boot support starts at Ivy Bridge and the T430s.

• Upgrading Windows 7 (Legacy BIOS/MBR Disk) to Windows 8 (UEFI/GPT/Secure Boot)

  Hi there,
  I've recently purchased a W530 with Windows 7 pre-installed.  Ultimately, I'd like to replace this with Window 8 + Secure Boot.  I believe I can get Windows 8 via the Microsoft Upgrade offer for a reasonable price, since this was a recent purchase.
  What's the best way to reach my goal?
  The Windows 7 install uses Legacy BIOS to boot with an MBR disk.
  I had a quick look at Acronis, and I can see that it's possible that the "OS will be automatically converted to support UEFI booting" (http://www.acronis.com/support/documentation/ABR11/index.html#14021.html) when using it's tool.
  If I don't use this approach, what can I do?  Can I:
  1. Use Rescue and Recovery in Windows 7 (Legacy BIOS/MBR disk)
  2. Wipe the drive and reformat it with GPT?
  3. Install Windows 7 with UEFI enabled using the Rescue and Recovery made in step 1?
  4. At this point, I would now have UEFI and GPT.
  5. Perform an Upgrade from Windows 7 to Windows 8 and enable Secure Boot?
  Any thoughts as to whether this would work?
  Richard.

  Hi richii,
  The Acronis approach ends up in failure. Didn't give it a second look at the reason, since the tool it's not necessary. I also tried several other "automatic" tools without success.
  The recovery approach will fail because it's tied up to BIOS boot.
  But I've performed the conversion from BIOS to UEFI two times successfully. After some digging, is not SO hard. It's just... "undocumented". Very, very undocumented, hehe. I made a step-by-step guide: http://social.technet.microsoft.com/wiki/contents/articles/14286.converting-windows-bios-installatio...
  Let me know if it helps you...
  Anyway, if you don't have data/software, I would go for the clean install approach.
  Cheers.
  If I helped you, please give me some kudos! ^^

• X220 BIOS/Firmware - does it support "Secure Boot" under Windows 8?

  I am getting ready to install W8x64 Pro.  I have a X220 with the latest BIOS (1.36 if I recall correctly) using Windows 7x64 currently.  I have run the Upgrade Assistant and it says: "Secure Boot isn't compatible with your PC."  "Your firmware doesn't support Secure Boot so you won't be able to use it in Windows 8."
  Assuming when I install W8x64 bit I have "Boot to UEFI First" and "UEFI BIOS Only" set in the BIOS - and the SSD formatted as a GPT SSD - should Secure Boot work?
  The 1.36 BIOS is not listed as Windows 8 compatible.  I see there is a BIOS for the X230 that is W8 compatible but I am not going to install it.
  At any rate - for any of you X220 users - you can click on "System Information" in W8 or type in "msinfo32" in the run script and it will say whether "Secure Boot" is Unsupported or On.
  Here is a Lenovo link for installing W7 using UEFI but it does not mention whether you would be able to be in "Secure Mode" at the end. 
  http://support.lenovo.com/en_US/downloads/detail.page?DocID=HT051844
  Kent

  Latest firmware is supposed to support Windows 8. But I don't know what support is supposed to mean... I'd say that if you've installed under UEFI and still doesn't enable, it doesn't.
  Thou now that I think of... After I installed using UEFI, I had to go back to the BIOS and change some setting. Reset-some-key or something. I can't restart the computer now but whenever I restart it I'll let you know which setting it was. (it can be several days)
  Good luck.
  If I helped you, please give me some kudos! ^^

• Secure Boot State On in Error?

  I am running Windows Server 2012 R2 Essentials as a VM on Hyper-V Server 2012 R2 (server core).  In checking MSINFO32 I see "Secure Boot State" is "On" for Essentials, but given my current configuration I believe this should be "Off?"
  I setup a new Hyper-V Server 2012 R2 (server core) using an Areca ARC-1224-8i RAID controller.  It was unclear to me whether or not the Areca RAID controller would support UEFI or not, but since Secure Boot was desirable I decided to try a UEFI installation.
   I created two volumes on the RAID controller.  C drive of 80 Gb and D drive of the remainder (about 9 Tb).  I checked the file C:\Windows\Panther\setupact.log and saw the message which told me this was an EFI installation/boot.
  After Hyper-V was installed I then setup Essentials as a VM on the D drive.
  When I ran MSINFO32 in both Hyper-V and Essentials and I saw the Secure Boot State was On which was expected (and desired) for both OS levels.
  Several days later I started having problems.  The system seemed to have crashed and during multiple attempts to reboot the Hyper-V server couldn't seem to detect the RAID controller.  If I tried a new Hyper-V installation and loaded the RAID driver
  the RAID controller was seen, but when Hyper-V itself tried to boot it seemed as though the RAID driver was not being loaded and thus the RAID controller could not be found (and along with it my C boot drive was missing)?
  Since I had some suspicion that the RAID controller might not support UEFI I decided to re-install Hyper-V, but this time using the Legacy BIOS.  After the installation was completed I again verified the setupact.log and saw BIOS rather than EFI (as
  expected).
  I then re-attached my Essentials VM (which was left untouched on the D drive) and got everything running again.
  But now when I check MSINFO32 within Hyper-V it showed Secure Boot State Off (expected given that UEFI was not used).  But when checking MSINFO32 within Essentials it showed Secure Boot State On.
  I thought one purpose of Secure Boot was to create a chain of trust.  Given that Hyper-V can no longer verify this chain (since UEFI is not used) I would have expected any VM running above Hyper-V to be in the same state, i.e., Secure Boot State Off?
  When the underlying Hyper-V layer changed I would have expected that to change Essentials view of the world?  So it looks to me as though this is not being handled correctly?
  Thanks for any assistance you can provide.
  P.S.  In case this makes any difference I am using a motherboard with a TPM and both the C and D drives were encrypted with BitLocker.  The C drive used a TPM key and the D drive had a password and was setup to autounlock.
  After I re-installed Hyper-V on the C drive I then manually entered the BitLocker password in order to access the Essentials VM on the D drive.
  Theokrat

  Sophia,
  Sorry for the delay.  Since I'm working other problems with this server it took a while before I could double check the configuration.
  In case it matters on this server I'm using an Asus Z87-WS motherboard.
  I'm setup for BIOS rather than UEFI boot.  There is a "Secure Boot" menu.
  Secure Boot State - Disabled
  Platform Key (PK) state - Unloaded
  OS Type - Windows UEFI Mode
  Then on the "Advanced Trusted Computing" menu I have -
  Security Device Support - Enabled
  TPM State - Enabled
  Pending Operation - None
  Current Status Information - Enabled
  TPM Enabled Status - Activated
  TPM Owner Status - Unowned
  When I initially installed the software (on my new RAID6 controller) I was in the process of enabling BitLocker when I ran into problems with the RAID6 controller.  I don't believe the state of the TPM should have any influence on the Secure Boot state
  anomaly I'm asking about?
  When I checked C:\Windows\Panther\Setupact.log there is a line in that file that confirms a BIOS boot.  When I logged onto Hyper-V Server 2012 R2 and ran MSINFO32 (as noted above) there is a line that also shows BIOS and Secure Boot state as Off (which
  is expected).  But within the VM running Essentials 2012 R2 when I run MSINFO32 I see a Secure Boot state of On (which is unexpected).  I don't recall off hand if MSINFO32 within Essentials showed BIOS or UEFI for the boot?  I think it was BIOS,
  but would have to double check.  (I won't be able to do that until I get issues with my RAID controller fixed.  Or until I give up and try some other method to setup the hard drives and re-install Essentials.)
  Thanks for your help.
  Theokrat

• Secure boot?

  Hello,
  I have a question regarding the secure boot option in the BIOS.  I have a Satellite C855D with Windows 8.1.  I was trying to boot to a USB thumb drive that has a bootable Ultimate Boot CD on it.  I changed the boot mode from UEFI to CSM but cannot find where to disable "secure boot."  I have done it before but it's like it isn't there now. 
  I reformatted my drive about two months ago and it may be a coincidence but I don't think I've seen the option since then.

  "Secure Boot" isn't needed to install Windows 8.
  "Secure Boot" is merely a feature of newer UEFI BIOSes that allow the system to maintain control of the installation of certain rogue software. It locks down the system and only hands over execution to "white listed" program and operating systems.
  Please send KUDOs
  Frank
  {------------ Please click the "White Kudos" Thumbs Up to say THANKS for helping.
  Please click the "Accept As Solution" on my post, if my assistance has solved your issue. ------------V
  This is a user supported forum. I am a volunteer and I don't work for HP.
  HP 15t-j100 (on loan from HP)
  HP 13 Split x2 (on loan from HP)
  HP Slate8 Pro (on loan from HP)
  HP a1632x - Windows 7, 4GB RAM, AMD Radeon HD 6450
  HP p6130y - Windows 7, 8GB RAM, AMD Radeon HD 6450
  HP p6320y - Windows 7, 8GB RAM, NVIDIA GT 240
  HP p7-1026 - Windows 7, 6GB RAM, AMD Radeon HD 6450
  HP p6787c - Windows 7, 8GB RAM, NVIDIA GT 240

• Secure Boot Status: DISABLED. Cannot enable Secure Boot via BIOS.

  BIOS Security Page displays:
  Secure Boot ENABLED
  Secure Boot Status DISABLED
  I have attempted to ENABLE Secure Boot multiple times but Secure Boot Status remains DISABLED
  This problem occured after BIOS Upgrade to v3.07
  I have Lenovo G510 Laptop
  Windows 8.1
  BIOS Version 79CN48WW (v3.07)
  I have tried the recommended solution of "Reset to Setup Mode" and "Restore Factory Keys".
  This did not solve the problem, Secure Boot Status still indicates DISABLED.
  Please suggest an alternative solution to this problem.

  I was scared to attempt the recommended solution of "Reset to Setup Mode" and "Restore Factory Keys", but it actually worked for me!
  U430p

• What do I do if I see "Secure Boot isn't configured correctly" on my Desktop?

  QuestionWhat do I do if I see "Secure Boot isn't configured correctly" on my Desktop?
  AnswerSecure Boot is an option, introduced to most consumers in Windows 8, in the UEFI settings, which some people might call the BIOS. When enabled, your computer will only load drivers or operating system loads that have an acceptable digital signature. This means that Secure Boot ensures harmful software doesn't attempt to load during the boot process.
  This may become disabled for a variety of reasons. The most likely is that it was disabled to allow the computer to boot from an external device or to boot a previous version of Windows. In the original version of Windows 8, Windows gave no indication that Secure Boot was disabled. Windows 8.1 changed this by displaying a watermark on the desktop.
  If you intended Secure Boot to be disabled, there is no problem. The watermark can be safely ignored, but there is no setting to remove it.
  If you did not intent Secure Boot to be disabled, you can enable it. Open the Charms by swiping in from the right, moving the mouse cursor to top-right or bottom-right corner, or pressing Windows+C, then select the following:
  Settings > Power > Shift + Restart > Troubleshoot > UEFI Firmware Settings
  In the UEFI Firmware Settings, navigate to the Security tab and set Secure Boot to Enabled.
  For more information on the watermark, please see this article by Microsoft.
  "Secure Boot isn't configured correctly" watermark on the desktop

  It is a very small battery inside which keeps settings, your clock, etc. going. They usually last 3 - 5 years and I don't believe they are user replaceable. I would make an appointment at your nearest Genius Bar and have them do it.

• MJG's signed Shim for UEFI Secure Boot now available

  There have been a number of posts about EFI and Secure Boot recently, so I thought some people might be interested in this:
  http://mjg59.dreamwidth.org/20303.html
  That's Matthew Garrett's announcement of a signed binary version of his Shim boot loader. Basically, this program will boot on a computer with Secure Boot active in its default mode (with Microsoft's keys in the firmware) and then launch another boot loader (called grubx64.efi, although it could be something other than GRUB in that filename) that you sign with your keys. The end result is something that's more secure than disabling Secure Boot entirely and easier than installing your own Secure Boot keys. I haven't yet tried this version of the binary, so I can't provide help beyond pointing you to MJG's own blog, but I thought some people might want to know about it.
  FWIW, although you could sign and launch my rEFInd boot manager with this version of Shim, the current version (0.4.7) won't be very useful when signed in this way, since it doesn't yet "talk" to Shim. I'm working on changing that, so that rEFInd will launch binaries signed in a way that Shim supports.

  kristof wrote:A signed bootloader is nice, but unless the Arch developers start distributing a version of the kernel that's also signed with a MOK, secure boot isn't being fully utilized.
  Largely true, but:
  Secure Boot is here, and seems likely to stay. Given this fact, all Linux distributions (including Arch) need a way to cope with it. There are basically two choices: Provide instructions on how to deal with it (difficult because of system-to-system differences) or provide signed binaries (a boot loader at a minimum, or preferably a boot loader and kernel).
  It's possible to "provide" a signed binary by generating the key locally and signing it locally. This could be done by scripts in the installation process, for example. Of course, that still leaves a need to get the installer booted on a Secure Boot system, but that could be handled with the Linux Foundation's pre-bootloader.
  To be truly effective, Secure Boot really requires support all the way up the software chain. Signing a kernel does no good if the kernel can load unsigned modules, for instance. Fedora's taking steps to provide such security, but Ubuntu seems to be going with a more relaxed approach. In truth, Linux isn't as bothered by malware as is Linux, so it's unclear that going with a Fedora-esque approach is really helpful; but OTOH, it's conceivable that malware authors will start using Linux as a vector to install boot-time malware if Windows becomes sufficiently locked down, so maybe some paranoia is in order.
  At the moment and as a practical matter, technical Linux users (including most Arch users) will find it quicker and easier to disable Secure Boot than to use shim. As shim and various support tools (signing utilities, boot managers, etc.) mature, though, this may not be the case. It may also be desirable or even necessary to leave Secure Boot enabled, in which case adopting shim now may make sense. Likewise if you want to learn about it now so that you can use it in the future.

• G500 Secure Boot Status Disabled cant change

  Hi everybody
  I have Lenovo G500 with Windows 8.1 Profecional
  I use UEFI boot mode, but there is a problem with secure boot.
  In BIOS Page Security I have
    SECURE BOOT                   ENABLED       
    SECURE BOOT STATUS    DISABLED    I cannot change it although I try everythink
  Windows 8.1 tell me in System informacion(msinfo32) I have secure boot off.
  I dont have any watermark in my Desktop.
  I only want to use SECURE BOOT.
  I tryed everythink ,but nothink help me.
  Solved!
  Go to Solution.

  Open the bios menu. If your secure boot is enabled, then in the security tab you will get two more options to "Reset to setup mode" and "Restore Factory Keys". just hit enter on those two options.
  then exit saving changes and enjoy.

• MSI Z87 G45 + MSI R9 280X + Windows 8.1 secure boot difficulties

  After updating to Windows 8.1 Pro I had the "Secure Boot isn't configured properly" watermark as many others. I determined my disk is GPT partitioned, I enabled UEFI on the GPU by moving the physical switch from the 2 position to the 1 position, and enabled Windows 8 Feature + Secure Boot with standard settings in the G45 bios (ver 1.5). After doing save and reboot I'm presented with a blank screen with my monitor showing a "DVI no input" message. I reset the CMOS to allow me to boot again, but after a couple more tries with the secure boot settings such as enabling/disabling Fast Boot I have not been able to get it to work.
  System:
  MSI Z87 G45
  8GB DDR3 1600mhz Crucial ram
  I5-4670k
  MSI R9 280X
  Samsung 840 SSD 250gb
  Asus cd/dvd drive

  I want to know the same thing. I bought a MSI Z87-G45 Gaming motherboard this month and I can't activate Secure Boot on it because it's still in Setup Mode. I have no idea how to put the motherboard into User Mode and Google doesn't help me much further either. How to activate a key? I have a I5-5670K and GTX 770 by the way.

• Windows 8.1 - Secure boot isn't properly configured

  Hello...
  i have brought new laptop...when i install 8.1
  it show the secure boot not correctly configure....
  please give me solution
                          How To Enable secure boot in bios...?????

  Dear Hiteshpadhara
  Welcome in lenovo community
  Have you tried to reset the BIOS using the F9 and F10 to save and exit ?
  Let us know
  Thanks 
  Alaa
  Did someone help you today? Press the star on the left to thank them with a Kudo!
  If you find a post helpful and it answers your question, please mark it as an "Accepted Solution"! This will help the rest of the Community with similar issues identify the verified solution and benefit from it.
  Follow @LenovoForums on Twitter!

• Satellite C50 - Secure Boot not configured correctly Build 9600

  Hi,
  Recently purchased a refurbished Toshiba Satellite C50 running windows 8.1 operating system. Was very pleased with it but found the message 'SecureBoot not configured correctly Build 9600' in a watermark in the bottom right corner of my desktop.
  Decided to search the internet for a resolution and after going on 3 troubleshooting sites, found out about the BIOS Setup required, however it warned that this was for advanced users who know their stuff about the technicalities of computers. Whilst I am computer literate, I'm not someone who likes to mess with the advanced options. Then, I stumbled across a reliable computer blog which had a detailed post on SecureBoot.
  ( Link to blog and specfic post:
  www.techrepublic.com/blog/windows-and-office/deal-with-the-secureboot-isnt-configured-correctly-watermark-in-windows-81/ )
  I thought this would resolve my issue, and I will admit it did help, telling me to use windows powershell as a precaution before using the BIOS setup. I was glad I did as it came back telling me that I have a non-production SecureBoot policy present on my laptop in which case I would have to ask for technical support for a system specific solution which would typically be a firmware update.
  I did try to phone, but the line was very busy and felt it might be easier to post this issue on a forum.
  If anyone has an answer please help as I really would like to enable SecureBoot if possible, as I believe computers should be set up with the best security options possible and it makes me feel comfortable knowing that it is set up securely.

  Someone commented the blog and posted this solution:
  The registry fix to remove the watermark is as follows.
  1. Start the Registry Editor with Admin rights (C:\Windows\regedit)
  2. Navigate to the following path
  -> HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ System.
  3. There, the two values " ConsentPromptBehaviorAdmin "and" EnableLUA "set to" 0 ".
  You can also try to enable the secure boot option in BIOS (in case its not already enabled)
  To get into the BIOS, press F2 while powering ON the unit.
  Additionally recommend checking this Microsoft page:
  http://windows.microsoft.com/en-us/windows-8/secure-boot-watermark

• T450s downgrade Win 8.1 Pro to Win 7 Pro Secure Boot Process?

  Hi all, New owner of a T450S with 8.1 Pro. I have a Windows 7 Pro OEM disc (no serial number) that I can put on a USB thumb drive. Prior to owning a secure boot machine I would just format the hard and install Win 7. With secure boot and the downgrade I'm not sure how this works. 1. Is the serial number that I have backwards compatable? Can I just format, install and use the 8.1 Pro serial number on my Lenovo? 2. I believe I will have to disable secure boot but I'm not sure. Any help or link to a tutorial would be appreciated. ThanksChrissy  

  @ the OP,
  The article ColonelOneill linked says "You’ll need to activate by phone. Call up the phone number displayed in the activation window and explain that you’re exercising your Windows 8 Pro downgrade rights. Have your Windows 8 Pro key ready; you’ll need it to prove your PC has downgrade rights."
  Here's a link to Microsoft's description of how to activate a downgrade:  Understanding downgrade rights
  Z.

• Need security management software for OS 8.6 through 9.2

  Are there any security management softwares available these days for OS 8.6 through OS 9.2? Something which lets the computer owner turn off firewire and USB is what I'm looking for. It would be nice to be able to allow only some selected USB devices, like a keyboard and a printer or scanner, and still disallow external drives or thumb flash drives, but turning off all USB would be useful on machines which don't need USB keyboards, like beige or B&W PMG3 computers or G3 iBooks.

  Are there any security management softwares available these days for OS 8.6 through OS 9.2? Something which lets the computer owner turn off firewire and USB is what I'm looking for. It would be nice to be able to allow only some selected USB devices, like a keyboard and a printer or scanner, and still disallow external drives or thumb flash drives, but turning off all USB would be useful on machines which don't need USB keyboards, like beige or B&W PMG3 computers or G3 iBooks.