[SOLVED] Question about secure boot and black screen - As seen on many forums

[ravin_29]

Hi,
This is a general query and is out of my curiosity. These days after Windows 11 has been announced and has been available (insider and now final) internet is flooded with many users complaining that after they enable secure boot on their desktop PCs they get black screen.

I have been trying to read all those posts and some even say that situation does not change even after resetting cmos. Some had to use another GPU to get back to BIOS.
I am wondering what's the tech explanation here.

I believe almost all desktop PC boards still come with Class 2 UEFI where CSM is still available. So Secure Boot is not a default option. So after resetting CMOS it should have reverted to Disabled. But users even had to switch GPU to get back to BIOS.

That makes me wonder what's the underlying reasoning for such a behavior. Even basic GPU like GT710 is UEFI capable. So it or anything superior should still boot with UEFI and Secure boot ON.

 

[Matfink]

That's what I'm trying to find out the answer to as well. My Dell PC freezes at boot if I enable secure boot with an aftermarket MSI 6700XT plugged in. Dell says it is a driver signing issue. MSI don't understand the question and say it's a Dell motherboard issue. So I'm stuck. I wish Microsoft would help. Dell says it's because MSI haven't paid Microsoft for the driver certification and that's the best answer I have at the moment. It does not help that MSI support play dumb and have a translation issue with English questions.

 

[avg9956]

I am wondering what's the tech explanation here.

What is Secure boot?

Secure boot is a security feature in the BIOS that basically tells it to refuse to boot to any device that doesn't have it signed by Microsoft.
It however, is often disabled if you're having trouble booting to some devices or installing Linux to try to get a dual boot setup with Windows and Linux.

These days after Windows 11 has been announced and has been available (insider and now final) internet is flooded with many users complaining that after they enable secure boot on their desktop PCs they get black screen.

My hunch is that Microsoft hasn't signed Windows 11 yet with a key that will pass the Secure Boot of most motherboard BIOS in circulation right now.
Anyhow, disabling secure boot should then remedy the matter for Windows 11 in that regard.

As for what is CSM, here is a very good explanation of it
https://www.rodsbooks.com/efi-bootloaders/csm-good-bad-ugly.html

The CSM is a useful stop-gap tool, but it should not be over-used. Unfortunately, many in the Linux community have been doing just that—advice to activate the CSM as a routine part of Linux installation is common. (This advice is becoming less common as EFI support improves and as EFI knowledge spreads.) As you should understand if you've read this page, this advice leads to a lot of problems because people create mixed-mode installations that they must then repair with very little understanding of the nature of the problem.

My advice is therefore to use the CSM only when it's absolutely required or in single-boot configurations, and to avoid it in other situations. Specifically:

• Do leave the CSM enabled if you're installing Linux to a computer that already uses the CSM to boot all its other OSes.
• Do enable the CSM if you're installing Linux first but plan to install a BIOS-only OS such as DOS, Windows XP, OS/2, or BeOS.
• Do enable the CSM if you need to boot a 32-bit Linux on a system with a 64-bit EFI or vice-versa; however, if you're multi-booting with an EFI-booting OS, you should reconsider. Running Linux in the EFI's native bit depth is usually preferable in such cases.
• Do enable the CSM if you need BIOS support for a video card or some other plug-in card that does not have an EFI-mode firmware. Note that some computers will enable the CSM automatically if you install such a card.
• Maybe enable the CSM if you plan to single-boot Linux. Native EFI-mode booting can be new and scary, which makes the CSM appealing; but sooner or later you'll need to learn about EFI.
• Do not enable the CSM if your computer is already booting an EFI-mode OS. This includes the vast majority of computers that shipped with Windows 8 and later.
• Do not enable the CSM if you plan to single-boot Linux in EFI mode; doing so will simply complicate the boot path and increase the odds that you'll have to fix your boot loader after installing the OS.
• Do not enable the CSM if you're uncertain whether to do so. Try to install Linux with the CSM disabled. If you have problems, you might consider enabling the CSM then. In the meantime, it's generally less confusing to keep the system in an EFI-only boot mode.
• Do not immediately enable the CSM at the first sign of trouble. Try using another program to create your boot medium or try disabling Secure Boot first. These actions overcome many boot-time problems.

It is basically for booting into a system with the older partition scheme, MBR.
Usually Windows 10 is installed as GPT, with UEFI boot mode enabled.

There are 2 partition schemes: MBR (Old) and GPT (New).

If you install Windows 10 with an installation media but booted it from the old legacy BIOS mode, it will install it as MBR partition scheme.
If you install Windows 10 with an installation media but booted it from UEFI, it will install it with the GPT partition scheme. There is no need to enable CSM because that will just make the boot process more complicated when CSM is activated (see Figure 2 in the link I gave).

*There are cases where you can run boot Windows as MBR but still use GPT partition scheme or vice versa, but in my opinion its clunky and can present some issues down the road. The system will still run fine though.

For modern systems, it is recommended to install the operating system as UEFI-GPT, since MBR is obsolete.