Secure Boot on or off?

tweaked9107 · 27 Apr 2025 at 16:28

A bit random but what's the general consensus on secure boot? On or off in BIOS?

andshrew · 27 Apr 2025 at 19:30

If you're using Windows then I don't think there is any reason to turn it off. The firmware in your motherboard is validating that the software that is being booted by the system (ie. your OS and bootloader) have been signed by a trusted signature and not tampered with.

If you're also using other OS's like Linux then you may need to turn it off as not all distributions have access to signing keys.

tweaked9107 · 27 Apr 2025 at 19:55

Appreciate the response. I thought it was off in my BIOS because in system info it says secure boot state "off". Checked BIOS and it's set to enabled.
I've been getting errors in event viewer for "The secure boot update failed" so thought it was off. Will have to do a bit more searching on the issue.

andshrew · 28 Apr 2025 at 11:30

tweaked9107 said:
Appreciate the response. I thought it was off in my BIOS because in system info it says secure boot state "off". Checked BIOS and it's set to enabled.
I've been getting errors in event viewer for "The secure boot update failed" so thought it was off. Will have to do a bit more searching on the issue.

Is this an older system?

I know there were some Secure Boot vulnerabilities a couple of years ago that Microsoft were having some issues pushing out updates for, but I don't know if that would cause it so show as it being disabled within Windows.

How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support

support.microsoft.com

Murphy · 28 Apr 2025 at 12:22

andshrew said:
If you're using Windows then I don't think there is any reason to turn it off.

I can think of one. It makes recovering data from the drive, if for example the machine becomes unbootable, a lot harder.

Personally I'd only enable secure boot on something like a laptop where it's not possible to secure physical access to the machine.

andshrew · 28 Apr 2025 at 13:03

Murphy said:
I can think of one. It makes recovering data from the drive, if for example the machine becomes unbootable, a lot harder.

Personally I'd only enable secure boot on something like a laptop where it's not possible to secure physical access to the machine.

How does Secure Boot make it harder to recover data from the drive?

tweaked9107 · 28 Apr 2025 at 13:04

andshrew said:
Is this an older system?

I know there were some Secure Boot vulnerabilities a couple of years ago that Microsoft were having some issues pushing out updates for, but I don't know if that would cause it so show as it being disabled within Windows.

How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support

support.microsoft.com

No it was a brand new custom build I did about a month ago.

I found a youtube video that fixed the issue.
I had to go into the BIOS and change the secure boot mode from standard to custom, and then back to standard. For whatever reason this then changed the status of secure boot so it now shows as active. All very weird but based on the video's 1.4million views and 21,000 likes, I'd guess I'm not the only one who had this issue.