Disabling Secure Boot

Disabling Secure Boot


Disabling Secure Boot

To perform a boot drive transform, you will want to ensure Secure Boot is first disabled (note: only required for UEFI boot mode).  You can check the current setting in Windows by using the System Information tool, and checking for "Secure Boot State" in the System Summary.  If this entry doesn't exist, then your system is not Secure Boot capable and you can ignore the rest of this KB article.  Once the transform is complete, you may be able to turn Secure Boot back on again (see below), though some motherboard firmware implementations may not support this method, or might have complications as described below.
  1. Restart your computer.
  2. Hit the specific key for your motherboard to enter the BIOS settings menu (typically F2 or Delete, sometimes F1, F10, or Esc).
  3. Find the Secure Boot setting.  Unfortunately, the location of the setting varies between different BIOSes, and it is sometimes not a simple toggle, so you may need to consult your motherboard manual.  There are some examples at the bottom of this article.  It is typically under a section entitled Boot, but it could be in an Advanced menu under Windows Configuration.  On some motherboards, there is a readout that specifies the current Secure Boot state with no obvious way to change it.  The easiest method in such a case is usually to set OS Mode to "Other OS" (rather than "Windows UEFI" or similar), or set Windows 10 WHQL Support to "Disabled."  Alternatively, some motherboards require you to go to Platform Key (PK) Management and "Clear Secure Boot Keys."  Some require you to set a Supervisor password to enter the BIOS first before they allow you to change the setting.

Alternatives to disabling Secure Boot
  • A few motherboards allow you to trust a third party boot loader and leave Secure Boot on.  You may do so by setting the packaged shell as trusted (typically found in FS0:\EFI\Boot\bootx64.efi).
  • You could also add the Enmotus signed platform key to your system.  Contact Enmotus to acquire the most recent key if this is necessary for your environment.

Re-enabling Secure Boot (optional)
  1. Hit Escape when you see the UEFI Shell message (there is only a 1 second pause, so you may miss it, and have to reboot and try again).
  2. Type AddDriver at the "Shell>" prompt.
  3. Hit any key to reboot.
  4. Hit the specific key for your motherboard to enter the BIOS settings menu (typically F2 or Delete, sometimes F1, F10, or Esc).
  5. Set Secure Boot to "Enabled," OS Mode to "Windows UEFI," and/or go to Platform Key (PK) Management and choose "Install Default Secure Boot Keys" and "Restore DB Defaults."
  6. Set "Windows Boot Manager" as the first boot option.
See this KB article: Secure Boot with FuzeDrive

Known BIOS Issues

ASUS ROG Crosshair VII Hero:
  • If you get the FuzeDrive logo but Windows won't boot, disable the ASUS Full screen logo (Go to Advanced (F7) > Boot > Boot Logo Display and set to "Disabled").
All MSI boards with Click BIOS 5:
  • If you've added the driver to the boot configuration as described in "Re-enabling Secure Boot" above, and you can't enter the BIOS, you will need to run RemoveDriver to enter the boot configuration.  A BIOS upgrade might fix this issue.  Even if you can enter the BIOS, on these boards, the "BBS Priorities" that are normally at the bottom of the Settings > Boot screen (under "Fixed Boot Order Priorities") are hidden when a driver has been added to the boot configuration, so you cannot move "Windows Boot Loader" to the top.  Additionally, when Secure Boot is on, and the boot process tries to load the Enmotus EFI shell, it will freeze rather than showing the Secure Boot violation screen as it does when you use boot override to manually boot to the shell.
  • If the boot process freezes after Secure Boot is enabled (unless you manually use F11 or the override boot menu in the BIOS to load Windows Boot Loader), then you will need to rename the shell \EFI\Boot\bootx64.efi files in one or both of the EnTier EFI System Partitions (usually FS0: and FS1:).  If one of the drives is NVMe (enter "map"), start with that one.  You can rename both if you've re-enabled Secure Boot as described above, but make sure you first create an EnTier UEFI rescue USB by formatting a USB as FAT or FAT32 and copying the contents of C:\Program Files\Enmotus\ECmd\UEFI to the USB in case you need to change your hardware configuration.

Secure Boot BIOS Settings Examples
ASUS UEFI BIOS Utility:
  • Either go to Advanced (F7) > Boot > Secure Boot and set OS Type to "Other OS," or
  • Go to Key Management and "Clear Secure Boot Keys"
          


MSI Click BIOS 5:
Go to Advanced (F7) > Settings > Advanced > Windows OS Configuration and set Windows 10 WHQL Support to Disabled.



    • Related Articles

    • Secure Boot With FuzeDrive

      See this KB article: Disabling Secure Boot How to re-enable Secure Boot with a bootable Enmotus FuzeDrive: NOTE: This knowledge base article only applies to bootable tiers.  Secure Boot need not be disabled to create nonbootable tiers. This method ...
    • Failure to Boot or "Inaccessible Boot Device" after Creating a Bootable FuzeDrive - EFI Recovery

      This article only applies to FuzeDrives that have never booted successfully.  See this article for a FuzeDrive that booted at least once successfully, but no longer does. For an ACPI BIOS ERROR blue screen (we've so far only seen this with ASUS ...
    • Dealing with Legacy Boot Drives and the 2TB Limit

      Legacy boot devices are supported by the FuzeDrive software. However, Microsoft and PC BIOSes have a limitation of 2TB size when using legacy mode and/or MBR based partitions. Learn more about this limitation from Microsoft at ...
    • Troubleshooting FuzeDrive Installation

      If your FuzeDrive software does not appear to be installing correctly, depending on your version, you may need to change some system settings and/or remove third party disk caching utilities. Important: Remove Third Party Disk Caching Software ...
    • What happens when I expand a legacy boot drive capacity by more than 2TB?

      For systems running in legacy boot mode, all disk sizes are limited by the OS to 2TB in size. This can cause some confusion when expanding boot drives to greater than 2TB. To work with boot or data drives greater than 2TB your MUST upgrade your ...