Question Is 'Secure Boot' Enabled or Disabled by Default ?

[The Guy From The Thing]

I have an Asus B550-F motherboard, and after uninstalling Ryzen Master with RevoUninstaller, I noticed that PowerShell logs in Event Viewer stopped recording "Confirm-SecureBootUEFI" events (among others)

This got me concerned about whether or not Secure Boot was even enabled, so I checked System Information and saw the Secure Boot State was set to 'Off'. now I feel like I'm tripping over whether or not it has always said 'Off' or if it previously said 'On'


I went into Bios and switched the Secure Boot OS Type from 'Other OS' to 'Windows UEFI Mode', and now it says 'On' in System Information. however, I now have no way of knowing what it was set to before and it's driving me insane


I reset the Bios to see what the default setting is, and it seems that the default for Secure Boot on my Asus board is 'Other OS', which is the equivalent to Disabled. I've never touched the Secure Boot settings in my life until today so unless applications or the Bios can change it itself, it should've been set to this default setting for the duration of my PC's life. which means the Secure Boot State in System Info might've always been 'Off'


regardless, both of my friends have MSI motherboards and Secure Boot State is 'Off' for them. is Secure Boot just Disabled by default? can anyone else confirm this?

I disabled Secure Boot again to check if this brings up the "Your PC does not meet the requirements for Windows 11" message in Update Settings, but it does not. having Secure Boot disabled does not seem to make you ineligible, or at least it doesn't change the message


I have seen the green tick and the "Your PC can run Windows 11" message for the entire time I've had the computer

 

[Lutfij]

BIOS version for your motherboard at this moment of time? By default Secure Boot is disabled. You need to enable it after you install your OS, which is also the same for Fast boot, it's disabled by default.

 

[The Guy From The Thing]

BIOS version for your motherboard at this moment of time? By default Secure Boot is disabled. You need to enable it after you install your OS, which is also the same for Fast boot, it's disabled by default.

forgot to add that; my Bios version is 2806


I just did a System Restore back to before I uninstalled Ryzen Master. I know restore points have no bearing on Bios settings but I figured I could test if uninstalling RM did actually alter the Secure Boot setting somehow


I made sure Secure Boot was enabled, did the System Restore, used RevoUninstaller to uninstall Ryzen Master again with an Advanced scan of the Registry and folders, then checked msinfo32 again


Secure Boot was still set to 'On'. so I might just be freaking myself out

 

[The Guy From The Thing]

BIOS version for your motherboard at this moment of time? By default Secure Boot is disabled. You need to enable it after you install your OS, which is also the same for Fast boot, it's disabled by default.

additional note; I already had Fast Boot enabled, in fact when I reset my Bios, it remained active and enabled, so I guess Fast Boot is automatic on Asus boards


would it be best to keep Secure Boot enabled? when I reset my Bios, I clicked an option that said "Install the default Secure Boot keys". I've since disabled and reenabled Secure Boot a few more times and it's currently enabled


should I leave it that way?

 

[Colif]

it depends on BIOS version for most part. For a long time it wasn't on by default.

Bios version 2407 says it added support for win 11. In a lot of cases that means its enabled Secure Boot by default, as well as adding ftpm support. So since you on 2806, its probably on in your bios.

ROG STRIX B550-F GAMING | Motherboards | ROG Australia

rog.asus.com

Its off on my PC, even though I am on 11 and its meant to want it, Win 11 doesn't care if its on or not, just that PC can turn it on. I never enabled it.

 

[The Guy From The Thing]

it depends on BIOS version for most part. For a long time it wasn't on by default.

Bios version 2407 says it added support for win 11. In a lot of cases that means its enabled Secure Boot by default, as well as adding ftpm support. So since you on 2806, its probably on in your bios.

ROG STRIX B550-F GAMING | Motherboards | ROG Australia

rog.asus.com

Its off on my PC, even though I am on 11 and its meant to want it, Win 11 doesn't care if its on or not, just that PC can turn it on. I never enabled it.

weirdly it is not on by default in my Bios. it's currently enabled on Windows UEFI Mode because I manually set it that way, but when I checked earlier, and when I reset the Bios, Secure Boot was disabled


as mentioned, my friends' also don't have it enabled by default in their Bios. but my Windows 11 MSI laptop DOES have it enabled; although it seems to have literally everything enabled...it's got Virtualization, Kernel DMA Protection, Hypervisor, etc. all set to 'On'

 

[Colif]

guess 2407 may have just added ftpm support that is not used in win 10.

Is it on now?

it might depend on age of the build and what is installed. My PC was win 10 and I upgraded to win 11, never actually clean installed win 11 yet as I haven't needed to. It might expect it on at that stage.

Win 11 laptops sold with win 11 on them probably have it on by default as its better to be on than off.

 

[The Guy From The Thing]

guess 2407 may have just added ftpm support that is not used in win 10.

Is it on now?

it might depend on age of the build and what is installed. My PC was win 10 and I upgraded to win 11, never actually clean installed win 11 yet as I haven't needed to. It might expect it on at that stage.

Win 11 laptops sold with win 11 on them probably have it on by default as its better to be on than off.

Secure Boot is enabled to 'Windows UEFI Mode' and fTPM is enabled as well, yeah. my PC came with the TPM/fTPM settings enabled

my PC was made this year in February; the laptop is an upgrade from Windows 10 to 11, it wasn't a fresh Win11 device. but it still might've come with everything enabled for convenience, hard to say now since I got it back in 2020



I'm just frustrated I never had a screenshot of my System Summary before today to verify my Secure Boot State with 100% certainty

on the other hand, doing that System Restore and uninstalling Ryzen Master again didn't have any effect on the Secure Boot so I was probably tripping.

but the System Restore also triggered those PS Event Viewer logs again and uninstalling Ryzen Master didn't stop them like last time so that was sort of a mistake

 

[Colif]

on the other hand, doing that System Restore and uninstalling Ryzen Master again didn't have any effect on the Secure Boot so I was probably tripping.

Windows can't change bios settings. It can alter them while its running but it can't change them in bios settings (Programs like armoury crate can change settings while they are running but the settings reset to what they are in bios when windows isn't running). So if you hadn't reset the BIOS at some stage, it would still be how it was.


OEM PC/laptops may have it enabled by maker, but most PC with win 10 on them that are not OEM made, probably have it off. New WIn 11 installs probably have it on. I think it is required on a clean install.

 

[The Guy From The Thing]

Windows can't change bios settings. It can alter them while its running but it can't change them in bios settings (Programs like armoury crate can change settings while they are running but the settings reset to what they are in bios when windows isn't running). So if you hadn't reset the BIOS at some stage, it would still be how it was.


OEM PC/laptops may have it enabled by maker, but most PC with win 10 on them that are not OEM made, probably have it off. New WIn 11 installs probably have it on. I think it is required on a clean install.

well my worst case scenario brain got worried that a rootkit had changed the Secure Boot settings, that's why I was so worried in the first place, even after doing several MalwareBytes Rootkit scans


I didn't perform the System Restore to try an rollback the Bios changes (if there were any), I might've made it sound like I did. I enabled Secure Boot manually, then did the System Restore to test if uninstalling Ryzen Master with RevoUninstaller actually did change the SecureBoot setting


After uninstalling RM for the second time, and rebooting the PC as well, Secure Boot State was still 'On' so I guess it probably didn't do anything the first time


I received my PC in February, installed Ryzen Master in late Feb, did a CMOS reset in May, and just recently Loaded Optimized Defaults today. that's sort of the timeline of my computer/Bios

 

[Colif]

while its possible viruses can get into bios settings, its not common. I haven't seen it happen yet (but that may not mean a lot) and I think its unlikely to randomly happen.

its possible to change the boot loader without entering bios, but I am not sure about how you would alter much more in there besides flashing an infected BIOS onto PC.

 

[The Guy From The Thing]

while its possible viruses can get into bios settings, its not common. I haven't seen it happen yet (but that may not mean a lot) and I think its unlikely to randomly happen.

its possible to change the boot loader without entering bios, but I am not sure about how you would alter much more in there besides flashing an infected BIOS onto PC.

boot loader? underneath the Secure Boot and CSM options in the Boot tab, there is the option for a Boot Device. there's only 1 option though, which is my SSD


is that what you mean by boot loader? not sure what else that refers to, given I've usually only used Bios for fan curves and XMP so I'm pretty stupid in regards to anything else

 

[Colif]

Bootloader - Wikipedia

en.wikipedia.org

its software used to boot the PC.

GRUB is the boot loader used to load linux for instance
Windows Boot Manager is the windows one - https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/boot-options-in-windows

some UEFI systems will have a choice in the boot tab called Windows Boot Manager. It contains a list of the drives in PC that have windows on them. So in those PC you don't choose the ssd as boot device.

Don't worry about it, I am probably giving too much info. If yours works now, its not a problem.

 

[The Guy From The Thing]

Bootloader - Wikipedia

en.wikipedia.org

its software used to boot the PC.

GRUB is the boot loader used to load linux for instance
Windows Boot Manager is the windows one - https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/boot-options-in-windows

some UEFI systems will have a choice in the boot tab called Windows Boot Manager. It contains a list of the drives in PC that have windows on them. So in those PC you don't choose the ssd as boot device.

Don't worry about it, I am probably giving too much info. If yours works now, its not a problem.

understandable, if you say so; I only really know the aforementioned area in the Bios that says "Boot Device #1: Windows Boot Manager [my SSD] name" or something of the sort. and in System Configuration that shows "Windows 10: Default OS" under the Boot tab


thanks for the help

 

[Colif]

"Boot Device #1: Windows Boot Manager [my SSD] name"

that is the boot loader for windows.

 

[The Guy From The Thing]

that is the boot loader for windows.

yeah that's what I thought; it's the only one I can select, which is how it should be. thanks again


editing the reply here; is it wise to keep Secure Boot on after pressing "Install the default Secure Boot keys"? when I reset the Bios settings, this was added in the Secure Boot Key section so I pressed it. seemed to 'load' for a second but it didn't appear to do much; when I restarted and went back into the Bios, the option was gone

 

[The Guy From The Thing]

that is the boot loader for windows.

in regards to your point about Version 2407 for my board's Bios supporting Windows 11 by default, you are correct


I asked the Windows 11 reddit out of curiosity and you don't need Secure Boot enabled, your board just needs to support the option.

so that's probably why it's still disabled by default even on Version 2806, while fTPM and TPM are automatically enabled


the Secure Boot FAQ on Asus' website also explicitly says the default is "Other OS" and that Other OS = Disabled. so that clears up that minor confusion, several days later