How can I get secure boot working after manually creating EFI partition with diskpart?

Question

motherboard: ASUS ROG STRIX X570-E GAMING Rev X.0x

I successfully enabled secure boot and installed Windows 11. Because of issues I decided to go back to Windows 10 and experiment on another machine. After resolving issues I want to install Windows 11 again.

A small partition existed other than the System Reserved partition without any type, name, or description, so I deleted it. My machine then would not boot. I used a tool to repair booting. It seemed after research that the partition I deleted was the EFI partition containing secure boot keys. I then followed instructions for creating the EFI partition with diskpart. I gave it 500mb.Now it plainly says "EFI System Partition" when I view the disk with Windows Disk Management.

I went into the BIOS, deleted the secure boot keys, and created again by clicking "create default keys". Launch CSM is enabled. Boot Device Control has "UEFI and legacy OPROM". If I set it to "UEFI only", no disks show in the list of bootable devices and it will not boot. It was set to "UEFI and legacy OPROM" when secure boot was previously working. If I insert a Windows install USB and set to "UEFI only" it will list the USB as bootable, so that confirms the disk does not have a UEFI attribute.

When I display disk information it says it's GPT, not MBR. The conversion tool does not give the convert option, so I'm sure it's GPT. I did however use the boot repair tool, but that was before I created the EFI partition and it may not have done everything needed.

The machine boots. The System Information screen says the Bios Mode is legacy.

What can I do to reenable secure boot again? I do not want to do a clean install.

Answer 1

You seem to have created the EFI partition, but that is only the first part of the job. You have to format it (FAT) if this is not done, recreate the Windows boot loader.

With diskpart, you type set disk 0 To select your disk, list vol to show the volume, then sel vol n to select the nth volume. assign letter=G: to assign a letter. exit to exit diskpart.

cd /d G:\EFI\Microsoft\Boot\

Then bootrec /fixboot. Should do the job.

On recent version of Windows 10, a permission denied is claimed… try with bcdboot /s G: /f UEFI

Answer 2

I found the following site with excellent step by step instructions: http://woshub.com/how-to-repair-deleted-efi-partition-in-windows-7/

I booted to a Windows 10 install USB to resolve the issue. The instructions said to completely delete the MSR and EFI partitions, recreate in the correct order which is EFI first then MSR, format properly, and create a boot record. My first attempt worked, but Windows 11 would not install saying "windows can't be installed because this pc has an unsupported disk layout for uefi firmware". Somehow the EFI partition ended up only 16k in size, not the 100 meg it should have. Windows would boot and boot in secure mode, but I needed to redo.

I tried running diskpart from a command window in the running OS, but it would not let me delete the MSR partition which was active. So I booted to a Windows 10 install USB, invoked diskpart, and deleted the two partitions made previously. Then I did the following commands found at http://woshub.com/how-to-rebuild-bcd-file-in-windows-10/:

• bootrec /fixmbr
• bootsect.exe /nt60 all /force

This created an MBR disk. In the BIOS I insured the BIOS showed UEFI/legacy so it would boot with either, then attempted to boot and it booted successfully. I used an MBR to GPT conversion utility, converted to GPT, and rebooted. So, having an active OS I opened http://woshub.com/how-to-repair-deleted-efi-partition-in-windows-7/ again, copied and pasted the commands from the browser into the command window. The commands worked perfectly. I rebooted again and System Information showed Bios Mode UEFI. I set the BIOS to UEFI only and rebooted to confirm, and yes, it still booted and showed UEFI. While typing this I invoked the Windows 11 install and it passed the PC check.