Caution updating Win7 if you have an ASUS motherboard and get a “Secure Boot Violation” warning

Topic

New Reply

Poster @Charlie has questions about ASUS motherboards and the August Win7 Monthly Rollup: I was all set to go ahead with the August Updates when I rea
[See the full post at: Caution updating Win7 if you have an ASUS motherboard and get a “Secure Boot Violation” warning]

3 users thanked author for this post.

Chessie, Sinclair, geekdom

Reply | Quote

Replies

[Ascaris]

My Acer Swift, a newer device that came with Windows 10 preinstalled (and therefore it must support secure boot, per Microsoft licensing requirements) will accept any bootloader signed by Microsoft’s trusted key, but it also has an option for the user to mark any EFI bootloader as “safe,” which allows secure boot to be enabled (and useful) even if that OS doesn’t itself support secure boot, as long as it supports UEFI booting.  I imagine that what it does is takes a hash of the bootloader at the moment it is marked as safe by the user, and if it changes, it alerts the user in the same way that it would if the hash changed on a signed image (the signature becomes invalid once the hash no longer matches the hash at the time of signing).  It’s doing the same thing, essentially, through slightly different means.  Instead of the reference hash being part of the bootloader signature put there by Microsoft, it’s stored in non-volatile memory in the UEFI settings.  Otherwise, the same thing happens; at each boot, the UEFI firmware compares the bootloader to the hash, and if it is not the same, it issues the warning.

I would imagine that this is approximately what is happening in the Asus models in question.  It looks like the update has changed the bootloader, and since it is not possible for Microsoft to certify the change as they would if the OS supported secure boot (by signing the new bootloader), it would be necessary to go into the UEFI and mark the new bootloader as safe manually.

Normally it would be a cause for alarm to see that the bootloader had changed, and you would not want to just go in there and mark the new one as safe, since the change could be the result of malicious action.  In this case, though, we know it was a Windows update, so it would be safe to mark the new bootloader as safe and proceed.

Edit: I just went and read the Asus directions to fix the issue.  It involves clearing the platform key state, but not switching off secure boot.  I am not completely certain on this, but I think that’s doing just what I descrived above… it is deleting the old hash (platform key, apparently), and the next time the system boots, I am guessing it will generate a new platform key for the new bootloader.

It’s quite evident why the signed bootloader method employed by Microsoft starting with Windows (and also employed by major Linux distros) is preferred.  The average user could be quite alarmed by this, and they may not have the resources to find out how to fix it once it’s broken.  On the other hand, it does allow secure booting Windows 7, so there’s that…

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

• This reply was modified 5 years, 8 months ago by Ascaris.

Reply | Quote

How to identify your motherboard:
https://www.wikihow.com/Identify-the-Motherboard

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

3 users thanked author for this post.

Chessie, Ricard, pmcjr6142

Reply | Quote

geekdom wrote:

How to identify your motherboard:
https://www.wikihow.com/Identify-the-Motherboard

Geekdom….thank you.  I was about to post “who the heck knows what kind of mother board they have”.  Turns out my Dell PC has a Dell motherboard, but I didn’t know if that would necessarily be the case.

iPhone 13, 2019 iMac(SSD)

1 user thanked author for this post.

geekdom

Reply | Quote

What has suddenly changed in August update for the bug to appear in Windows 7 after 10 years ?

Reply | Quote

We have reached the point where in order to continue to use Windows Update you need to have updates installed that support SHA-2 encryption.  Some have come in earlier months, and this month (Aug.) it is KB4474419. This shouldn’t be a problem but it seems that you need to have KB3133977 already installed for it to work. Therein lies the problem with updating this month especially for people with ASUS motherboards.

Being 20 something in the 70's was far more fun than being 70 something in the insane 20's

Reply | Quote

I wonder. If on Asus or any other computer, if one configures the BIOS to not use secure boot, then would Windows boot just fine?

Reply | Quote

Hi there,

I have a Asus Motherboard (Z87-Deluxe).

Also have KB3133977 installed. I am not getting the boot message that is bring referred to.

Checked the BIOS as per Asus article and the Motherboard does have secure boot enabled.

On the basis of “if it ain’t broke don’t fix it” in your learned opinion should I follow the steps in the ASUS article or wait until I get a “Secure Boot Violation” message ?

Very much appreciate your advice.

Cheers

bagman

Reply | Quote

Backup.
Check backup.
Take a picture of the BIOS settings.
Follow the steps in the ASUS article.
Report the outcome here. 🙂

cheers, Paul

Reply | Quote

If you already have KB3133977 installed, you should not worry and just go about August updating as usual. You’ve already passed the hurdle.

Reply | Quote

PKCano:  I am Win 7 x64 Group A.  I have an ASUS K61IC laptop  (about 2011 vintage).

I’ve had KB 3133977 installed since 03/2017 and have successfully installed KB 4490628 (03/2019) and the updated 08/2019 version of KB 4474419. 

PKCano wrote:

If you already have KB3133977 installed, you should not worry and just go about August updating as usual. You’ve already passed the hurdle.

Am I clear to install KB 4512506, which I have ‘hidden’ at the moment?

Appreciate your advice.

Geoff B

 

Reply | Quote

You should be able to install KB4512506 through Windows Update. Don’t panic if it takes a while to install. Let it finish.

Reply | Quote

PKCano:  thanks for the advice.  i’ll do a fresh full backup then plunge ahead.

 

GeoffB

Reply | Quote

I’ve checked my ASUS BIOS and the BIOS section of the ASUS mobo instruction manual and didn’t see or find any reference to the Secure Boot as indicated in the ASUS article.  I’m thinking that I’m okay to go ahead with the S.O. updates and start with KB3133977.

I feel like I’m doing the right thing as the next bunch of “stuff” for Sept. is coming in and I want to clear out the August stuff.  I really don’t like this feeling of being a guinea pig, but it’s par for the course.

Any comments are very welcome, even if they’re just “good luck”.

Being 20 something in the 70's was far more fun than being 70 something in the insane 20's

Reply | Quote

https://support.microsoft.com/en-us/help/4474419/sha-2-code-signing-support-update

This security update was updated September 10, 2019 to include boot manager files to avoid startup failures on versions Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows Server 2008 SP2.

Susan Bradley Patch Lady/Prudent patcher

3 users thanked author for this post.

Sinclair, GeoffB, samak

Reply | Quote

Susan:  just caught your update regarding SHA-2.  So, I’ll do a full backup, then download & install KB4474419, wait and then (finally) KB 4512506.

regards

GeoffB

Reply | Quote