2

I wanted to upgrade to Windows 11 on my machine which worked perfectly up until now, so I checked the requirements and saw that I needed to enable Secure Boot in order to do so.

Since I have a Gigabyte motherboard (Z370 HD3P to be exact) I needed to first disable CSM, then restarted to apply the changes and when I tried to enable Secure Boot I got a message saying "Secure Boot can be enabled when Platform is in User Mode. Repeat operation after enrolling Platform Key (PM)."

So I went to the Key Management section, then clicked "Platform Key" and chose "update" since that was my only option. Now I was able to enable Secure Boot, however after I hit "save and restart", my PC wasn't able to boot anymore, and instead it made 5 beeping noises and stayed on, but without displaying anything, not even the Gigabyte logo, or the BIOS.

I tried to remove the motherboard battery for one hour, I tried to connect the CLR_CMOS pins together, I tried to use a VGA cable directly to the motherboard instead of my GPU (RTX 2060 SUPER) but nothing worked.

Then, when I tried to disconnect the GPU entirely, the PC did boot normally without making the beeping sounds and it did allow me to go to the BIOS and disable the Secure Boot again, so I could reconnect the GPU and still boot.

However, I did want to enable Secure Boot, so I tried to replace the Initial Display Output in the BIOS, from PCIE-SLOT1 (which is the slot my GPU use), to IGFX and it did allow me to boot even while connecting the GPU and having Secure Boot enabled and without needing to even update the Platform Key, but that's still not the solution I'm looking for.

My BIOS is updated to version 13, and my GPU driver is updated to the latest version, so I have no clue what could cause this issue.

Thanks in advanced

Improve this question
3
  • The GPU is likely a red herring and the reason you don't get a display is because your firmware expects to hand over to an OS pretty damn quick. Enabling secure boot means disabling the CSM, which in turn means that your boot disk needs to be GPT. If you installed Windows with the CSM enabled then you have an MBR partitioned disk and your firmware cannot boot it without the CSM. Likely you have a variation of this and per my comment there you will have to convert your disk to GPT and set up your system as a "true" UEFI system.
    – Mokubai
    Commented Oct 5, 2021 at 20:09
  • 1
    Does this answer your question? Secure Boot / UEIF / WIndows 11
    – Ramhound
    Commented Oct 5, 2021 at 21:59
  • I'd like to add my experience to your question, in my system there isn't any integrated graphics card so after following the steps you described, simply I'm unable to boot at all, and the only option Gigabyte left me as is to pay RMA or entirely replace the motherboard, which probably I'll do replacing it for an ASUS, MSI or any other competent brand. I own an Aorus b450 i pro wifi, updated to the last current firmware before I did the change (F63c). First time in 30 years that I see a PC completely unable to boot, not even reseting the CMOS.
    – Rubén Gómez
    Commented Aug 23, 2022 at 7:38

3 Answers 3

Reset to default
1

I noticed this problem too, on AMD platforms as well. All motherboards where it occurs are by Gigabyte (coincidence?) too. Still found no solution but to keep a Secure Boot disabled. It is unlikely there is any relation to GPT/disk, since it fails on POST somewhere prior to disk init.

Because those GPU's were pretty old, i did suspect a Secure Boot might require something they don't have... But since you experience the same problem with modern GPU, then it is unlikely the case.

It is highly likely the problem is up to IME/PSP (these "security" subsystems already brought a lot of another problems before). Maybe it is necessary to perform some manipulations with its security keys... I'll keep looking for a solution...

Improve this answer
4
  • As it’s currently written, your answer is unclear. Please edit to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers in the help center.
    – Community Bot
    Commented Jan 30, 2022 at 6:13
  • Let me know if you find anything :)
    – Argaman
    Commented Jan 30, 2022 at 8:25
  • Yes, i will let you know if a solution or any related useful information is found.
    – Angie
    Commented Jan 30, 2022 at 10:06
  • This does not really answer the question. If you have a different question, you can ask it by clicking Ask Question. To get notified when this question gets new answers, you can follow this question. Once you have enough reputation, you can also add a bounty to draw more attention to this question. - From Review
    – DarkDiamond
    Commented Jan 30, 2022 at 10:55
0

Steps to fix :

  • Disconnect GPU
  • Go to Bios
  • Disable Secureboot
  • Let PC load
  • Shutdown
  • Connect GPU
  • Power On
Improve this answer
2
  • Your answer could be improved with additional supporting information. Please edit to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers in the help center.
    – Community Bot
    Commented Jul 28, 2022 at 23:43
  • This "worked" in terms of getting the computer to boot properly again, but it doesn't fix the issue of getting Secure Boot to work
    – jnunn
    Commented Oct 8, 2022 at 16:31
0

The system may be in enforcing mode and no longer in "user" mode after installing a Platform Key, but you can't boot without installing a "db" key and a complete system would have a "KEK" (Key Exchange Key) also enrolled. The "db" keychain is the one with the keys used for actually verifying bootloaders.

Normally what you want is to restore the default keys for secure boot which will put the system into the situation Microsoft expects (Gigabyte's key for the PK, and Microsoft's in the KEK and db). I don't know what option does that but that's what you should look for. installing individual keys is usually for taking ownership of the system which is really only practical on customized Linux distros.

You might be able to get ahold of the certs or "auth"s for the default keys and install yourself, but that's something you should avoid if you don't know what you're doing.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .