Re-enable Secure Boot after secure boot violation

[Frednav77]

Hello,
After a Windows 7 update, I had a secure boot violation error message. After some quick research, I found out you have to disable secure boot in the motherboard BIOS.
On the Asus Z97, the "secure boot state" option was greyed out and showing only enabled. To disable it, I figured out I could go to "key management" and "clear secure boot keys". The secure state boot is now disabled and the computer starts normally.
I believe I have removed the update that is causing the violation, so I want to re enable secure boot. I don't want to keep secure boot disabled.
How do I do it? Do I just "install default secure boot keys"? Will it work and keep my computer the way it was before, with all the programs, documents, etc....? I am concerned I might make things worse and lose everything.
I never saved/backed up the previous keys (was not aware of it) as is suggested in some guides, so maybe I have messed it up.

Thanks for your help.

 

[Lutfij]

1| You should always have your critical files/data on a secondary HDD or drive for scenarios like the one you've explained. You should assign your default profile folder on a drive outside of C: / Follow this guide on doing so.
2| You didn't mention your full system's specs apart from your OS.
3| I'd suggest that you back up all your data now, and then reinstall Windows 7 but doing so with AHCI enabled and id the update does come up with the secure boot option enabled but greyed out, I'd ask you to reinstall your OS.

You may benefit from further reading.

 

[hydranix]

Secure boot has nothing to do with your personal files and does not effect them in any way.

All secure boot does, is require that your bootloader be signed by Microsoft. You do NOT need secure boot and it doesn't actually make your computer more secure. It was pretty much designed as one of the ways to stop people pirating windows. The excuse was malware overwriting your bootloader, which would require extremely targeted and very uncommon malware to actually achieve.

People might argue against this but seriously, have there even ever been one widespread bootloader-based malware infection in the past 15 years? It's well known that Windows 7 was cracked using a bootloader which modified memory contents before calling the real windows boot loader tricking windows into thinking it was installed on an OEM-licensed motherboard. Then secure boot appears...

tldr leave it disabled its stupid

 

[hydranix]

I'm sorry Lutfij, but I have to tear this reply to shreds. With all due respect, you don't appear to know what you're talking about, and your advice should not be followed at all by the original poster.

1| You should always have your critical files/data on a secondary HDD or drive for scenarios like the one you've explained.

A secondary HDD is a drive. Most people do not have a second HDD. Backups are good, but for this user's particular case, going through the trouble of backing everything up is wasted time and not at all required. This isn't to say he should never back his data up, but this is not a reason to do so.

You should assign your default profile folder on a drive outside of C: / Follow this guide on doing so.

This is not something that a normal user should ever do and will cause may problems, and doesn't actually solve anything.

For example: A normal user will find his files have vanished after doing something like upgrading from Windows 7 to Windows 10 despite the upgrade wizard assuring him of his files being kept in tact. Without knowing that the upgrade process ignores the modifications made from the guide you linked. Microsoft also does not recommend you modify the registry in such a way due to exactly the example situation i gave.

2| You didn't mention your full system's specs apart from your OS.

He has a UEFI based motherboard with secure boot. He asked if the "install default secure boot keys" option will restore the keys he removed. Nothing about his OS or his system specs matter. The only thing spec wise that would matter, is if he installed in Legacy BIOS mode or UEFI mode, and judging by his question, he wouldn't know which, and the effort required to find that out isn't needed anyway. His computer works without secure boot, and if it doesn't boot with secure boot, he can turn it back off and follow the philosophy of: Don't fix something that aint broke.

@OP By the way, yes that option will restore the keys. They are included in the BIOS and cannot be deleted unless you modify your BIOS manually. So you'll always be able to remove/restore them whenever you want.

3| I'd suggest that you back up all your data now, and then reinstall Windows 7 but doing so with AHCI enabled and id the update does come up with the secure boot option enabled but greyed out, I'd ask you to reinstall your OS.

Are you serious? AHCI mode has NOTHING to do with secure boot.

Every single time you suggest that a user reinstall their OS, you're advising them to potentially lose all of their data. Even when you tell them to back it up first. I've been in the field for years, and many times I've had users back up their data, go to reinstall Windows, have something they can't handle go wrong, and end up losing everything.

Maybe you meant UEFI mode, which if secure boot was not working before, strongly suggest that this OS is installed in Legacy mode. To go from Legacy to UEFI mode requires the partition table of the hard drive to be changed completely. Unless you know very precisely what that means and what you're doing, you will have to fully format the hard drive to change that. Which means losing everything on it to most users.

You may benefit from further reading.

This is probably the only thing you said that I can agree with,