[SOLVED] Noob needs ELI5 on why secure boot says I'm no longer allowed to boot?

Mar 30, 2023
2
0
10
Context: I have two Samsung NVMe drives, one is a 980 Pro, and the other is a 970 Evo Plus. I've been using the 970EP for about a year as my main drive, but my board supports PCIe gen 4 (B550-F Gaming Wifi) and I wanted a bigger drive anyway, so I sprung for the fancy 980 Pro with a heatsink. I've installed it in the proper m.2 slot, and spent all day working to install all my various drivers as I'd opted to forgo my previous drive, and all of it's contents (more on that in a moment). So, drivers, drivers, and more drivers were the theme of my day today. Everything went perfectly smoothly. It was a freshly installed Win11, and I got everything squared away. Zero issues.

Now, we come to the last thing I decided to do today. Wipe my previous drive using Samsun Magician software by creating a bootable USB via Secure Erase. In order to use this tool, I had to enable CSM in order to boot from the USB tool, select the drive (I'm certain I only selected the 970EV), and it only took about 40 seconds for the process to finish. I was like, "Wow! That was painless!" I'd thought that thought too soon however. When I went back into BIOS, and disabled CSM I got a message about Secure Boot. Now, I have no idea what Secure Boot is, but I do understand Win11 seems to have brought on this regulation that drives be compliant to such a standard, whatever that standard is.

I ignored the message. I just went about my business. I didn't have any reason to believe my brand new, fresh Win11 install wasn't going to work perfectly that has been working fine all day. But low and behold, no matter what I did it refused to allow me to boot from a PCIe slot card, and after reading the comment about Secure Boot I am to understand that for some reason my SSD didn't meet some such requirement to be considered a valid boot drive.

What I'd like to understand is WHY it wasn't considered a valid boot drive. It 100% guaranteed was using GPT and not MBR. I keep seeing that the drive most likely needed to be converted... Did enabling CSM magically convert my fresh Win11 install from GPT to MBR? The message suggests that I didn't have the secure keys(?) so I'm wondering how I can ensure my NVMe always has these keys available? I figured anything that the drive -needed- to boot it would already have, as I'd been using the drive since 8 am today.

I'm now somewhat jarred that I could spend almost 12 hours of installation hours, and 20Gb+ of steam/preferred program installs to randomly be told I'm no longer allowed to boot with my drive.... I know this fear is largely unfounded as I haven't had anything close to such an issue using the 970EV, and I'm certain I've caused this mix up somehow, but I'm struggling to understand how I caused this.

Thank you for anyone that read through all of this, and can provide insight into my noobish fiddling with technologies I clearly don't understand lol.


Edit: I reinstalled Win11 already, and am going about my routine driver installations. I'm going to pretend it didn't happen and trudge through. This post is more about WHY it happened in the first place, and how I can navigate Secure Boot requirements for the future.
 
Mar 30, 2023
2
0
10
you just had to go to bios security settings and reset/enroll platform keys there


I'm lost already... Thanks for your reply! I'm looking up how to do it so I don't step on my toes again in the future.

Edit: I see the error in my ways, but in the process I was having to google on my phone, making this more difficult. I didn't really know how to word my question, and the only answers I could find was about conversion from MBR to GPT. It was quite the frustrating task when I wasn't aware of the steps that I were missing in the first place. Amazing how one term (Platform Keys) being googled served me a demonstration of my exact situation in about 5 seconds.

Boy am I sad now.
 

DaleH

Upstanding
Mar 24, 2023
326
34
210
Context: I have two Samsung NVMe drives, one is a 980 Pro, and the other is a 970 Evo Plus. I've been using the 970EP for about a year as my main drive, but my board supports PCIe gen 4 (B550-F Gaming Wifi) and I wanted a bigger drive anyway, so I sprung for the fancy 980 Pro with a heatsink. I've installed it in the proper m.2 slot, and spent all day working to install all my various drivers as I'd opted to forgo my previous drive, and all of it's contents (more on that in a moment). So, drivers, drivers, and more drivers were the theme of my day today. Everything went perfectly smoothly. It was a freshly installed Win11, and I got everything squared away. Zero issues.

Now, we come to the last thing I decided to do today. Wipe my previous drive using Samsun Magician software by creating a bootable USB via Secure Erase. In order to use this tool, I had to enable CSM in order to boot from the USB tool, select the drive (I'm certain I only selected the 970EV), and it only took about 40 seconds for the process to finish. I was like, "Wow! That was painless!" I'd thought that thought too soon however. When I went back into BIOS, and disabled CSM I got a message about Secure Boot. Now, I have no idea what Secure Boot is, but I do understand Win11 seems to have brought on this regulation that drives be compliant to such a standard, whatever that standard is.

I ignored the message. I just went about my business. I didn't have any reason to believe my brand new, fresh Win11 install wasn't going to work perfectly that has been working fine all day. But low and behold, no matter what I did it refused to allow me to boot from a PCIe slot card, and after reading the comment about Secure Boot I am to understand that for some reason my SSD didn't meet some such requirement to be considered a valid boot drive.

What I'd like to understand is WHY it wasn't considered a valid boot drive. It 100% guaranteed was using GPT and not MBR. I keep seeing that the drive most likely needed to be converted... Did enabling CSM magically convert my fresh Win11 install from GPT to MBR? The message suggests that I didn't have the secure keys(?) so I'm wondering how I can ensure my NVMe always has these keys available? I figured anything that the drive -needed- to boot it would already have, as I'd been using the drive since 8 am today.

I'm now somewhat jarred that I could spend almost 12 hours of installation hours, and 20Gb+ of steam/preferred program installs to randomly be told I'm no longer allowed to boot with my drive.... I know this fear is largely unfounded as I haven't had anything close to such an issue using the 970EV, and I'm certain I've caused this mix up somehow, but I'm struggling to understand how I caused this.

Thank you for anyone that read through all of this, and can provide insight into my noobish fiddling with technologies I clearly don't understand lol.


Edit: I reinstalled Win11 already, and am going about my routine driver installations. I'm going to pretend it didn't happen and trudge through. This post is more about WHY it happened in the first place, and how I can navigate Secure Boot requirements for the future.
Secure boot is a security standard developed by members of the PC industry to help make sure that a device boots using only software that is trusted by the Original Equipment Manufacturer (OEM).
DaleH