News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Caution updating Win7 if you have an ASUS motherboard and get a “Secure Boot Violation” warning

    Home Forums AskWoody blog Caution updating Win7 if you have an ASUS motherboard and get a “Secure Boot Violation” warning

    This topic contains 15 replies, has 12 voices, and was last updated by  GeoffB 1 week, 4 days ago.

    • Author
      Posts
    • #1942034 Reply

      woody
      Da Boss

      Poster @charlie has questions about ASUS motherboards and the August Win7 Monthly Rollup: I was all set to go ahead with the August Updates when I rea
      [See the full post at: Caution updating Win7 if you have an ASUS motherboard and get a “Secure Boot Violation” warning]

      3 users thanked author for this post.
    • #1942232 Reply

      Ascaris
      AskWoody_MVP

      My Acer Swift, a newer device that came with Windows 10 preinstalled (and therefore it must support secure boot, per Microsoft licensing requirements) will accept any bootloader signed by Microsoft’s trusted key, but it also has an option for the user to mark any EFI bootloader as “safe,” which allows secure boot to be enabled (and useful) even if that OS doesn’t itself support secure boot, as long as it supports UEFI booting.  I imagine that what it does is takes a hash of the bootloader at the moment it is marked as safe by the user, and if it changes, it alerts the user in the same way that it would if the hash changed on a signed image (the signature becomes invalid once the hash no longer matches the hash at the time of signing).  It’s doing the same thing, essentially, through slightly different means.  Instead of the reference hash being part of the bootloader signature put there by Microsoft, it’s stored in non-volatile memory in the UEFI settings.  Otherwise, the same thing happens; at each boot, the UEFI firmware compares the bootloader to the hash, and if it is not the same, it issues the warning.

      I would imagine that this is approximately what is happening in the Asus models in question.  It looks like the update has changed the bootloader, and since it is not possible for Microsoft to certify the change as they would if the OS supported secure boot (by signing the new bootloader), it would be necessary to go into the UEFI and mark the new bootloader as safe manually.

      Normally it would be a cause for alarm to see that the bootloader had changed, and you would not want to just go in there and mark the new one as safe, since the change could be the result of malicious action.  In this case, though, we know it was a Windows update, so it would be safe to mark the new bootloader as safe and proceed.

      Edit: I just went and read the Asus directions to fix the issue.  It involves clearing the platform key state, but not switching off secure boot.  I am not completely certain on this, but I think that’s doing just what I descrived above… it is deleting the old hash (platform key, apparently), and the next time the system boots, I am guessing it will generate a new platform key for the new bootloader.

      It’s quite evident why the signed bootloader method employed by Microsoft starting with Windows (and also employed by major Linux distros) is preferred.  The average user could be quite alarmed by this, and they may not have the resources to find out how to fix it once it’s broken.  On the other hand, it does allow secure booting Windows 7, so there’s that…

      Group "L" (KDE Neon User Edition 5.16.5).

      • This reply was modified 2 weeks ago by  Ascaris.
    • #1942288 Reply

      geekdom
      AskWoody Plus

      How to identify your motherboard:
      https://www.wikihow.com/Identify-the-Motherboard

      Group G{ot backup} TestBeta
      Win7Pro · x64 · SP1 · i3-3220 · RAM 8GB · Firefox: uBlock Origin - NoScript · HDD · Canon Printer · Microsoft Security Essentials · Windows: Backup - System Image - Rescue Disk - Firewall
      3 users thanked author for this post.
    • #1943536 Reply

      pmcjr6142
      AskWoody Lounger

      How to identify your motherboard:
      https://www.wikihow.com/Identify-the-Motherboard

      Geekdom….thank you.  I was about to post “who the heck knows what kind of mother board they have”.  Turns out my Dell PC has a Dell motherboard, but I didn’t know if that would necessarily be the case.

      1 user thanked author for this post.
    • #1943672 Reply

      Alex5723
      AskWoody Plus

      What has suddenly changed in August update for the bug to appear in Windows 7 after 10 years ?

      • #1943688 Reply

        Charlie
        AskWoody Plus

        We have reached the point where in order to continue to use Windows Update you need to have updates installed that support SHA-2 encryption.  Some have come in earlier months, and this month (Aug.) it is KB4474419. This shouldn’t be a problem but it seems that you need to have KB3133977 already installed for it to work. Therein lies the problem with updating this month especially for people with ASUS motherboards.

        Win 7 Home Premium, x64, Intel i3-2120 3.3GHz, Groups B & L

    • #1944097 Reply

      GoneToPlaid
      AskWoody Plus

      I wonder. If on Asus or any other computer, if one configures the BIOS to not use secure boot, then would Windows boot just fine?

    • #1944190 Reply

      bagman
      AskWoody Plus

      Hi there,

      I have a Asus Motherboard (Z87-Deluxe).

      Also have KB3133977 installed. I am not getting the boot message that is bring referred to.

      Checked the BIOS as per Asus article and the Motherboard does have secure boot enabled.

      On the basis of “if it ain’t broke don’t fix it” in your learned opinion should I follow the steps in the ASUS article or wait until I get a “Secure Boot Violation” message ?

      Very much appreciate your advice.

      Cheers

      bagman

      • #1944743 Reply

        Paul T
        AskWoody MVP

        Backup.
        Check backup.
        Take a picture of the BIOS settings.
        Follow the steps in the ASUS article.
        Report the outcome here. 🙂

        cheers, Paul

      • #1944747 Reply

        PKCano
        Da Boss

        If you already have KB3133977 installed, you should not worry and just go about August updating as usual. You’ve already passed the hurdle.

        • #1946215 Reply

          GeoffB
          AskWoody Lounger

          PKCano:  I am Win 7 x64 Group A.  I have an ASUS K61IC laptop  (about 2011 vintage).

          I’ve had KB 3133977 installed since 03/2017 and have successfully installed KB 4490628 (03/2019) and the updated 08/2019 version of KB 4474419. 

          If you already have KB3133977 installed, you should not worry and just go about August updating as usual. You’ve already passed the hurdle.

          Am I clear to install KB 4512506, which I have ‘hidden’ at the moment?

          Appreciate your advice.

          Geoff B

           

          • #1946301 Reply

            PKCano
            Da Boss

            You should be able to install KB4512506 through Windows Update. Don’t panic if it takes a while to install. Let it finish.

            • #1947246 Reply

              GeoffB
              AskWoody Lounger

              PKCano:  thanks for the advice.  i’ll do a fresh full backup then plunge ahead.

               

              GeoffB

    • #1945380 Reply

      Charlie
      AskWoody Plus

      I’ve checked my ASUS BIOS and the BIOS section of the ASUS mobo instruction manual and didn’t see or find any reference to the Secure Boot as indicated in the ASUS article.  I’m thinking that I’m okay to go ahead with the S.O. updates and start with KB3133977.

      I feel like I’m doing the right thing as the next bunch of “stuff” for Sept. is coming in and I want to clear out the August stuff.  I really don’t like this feeling of being a guinea pig, but it’s par for the course.

      Any comments are very welcome, even if they’re just “good luck”.

      Win 7 Home Premium, x64, Intel i3-2120 3.3GHz, Groups B & L

    • #1946983 Reply

      Susan Bradley
      AskWoody MVP

      https://support.microsoft.com/en-us/help/4474419/sha-2-code-signing-support-update

      This security update was updated September 10, 2019 to include boot manager files to avoid startup failures on versions Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows Server 2008 SP2.

      Susan Bradley Patch Lady

      3 users thanked author for this post.
      • #1947308 Reply

        GeoffB
        AskWoody Lounger

        Susan:  just caught your update regarding SHA-2.  So, I’ll do a full backup, then download & install KB4474419, wait and then (finally) KB 4512506.

        regards

        GeoffB

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Caution updating Win7 if you have an ASUS motherboard and get a “Secure Boot Violation” warning

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.