Skip to main content
Matrix42 Self-Service Help Center

Computer does not boot with Secure Boot enabled

  1. Last updated
  2. Save as PDF
ID: 1732837
Sprache: DE, EN
Komponenten: EgoSecure Full Disk Encryption
Betriebssystem: Windows

Summary

Computers encrypted with the EgoSecure FDE no longer boot with Secure Boot enabled.

Cause

When Secure Boot is enabled, the firmware examines the bootloader's digital signature to verify that it hasn't been modified. Microsoft uses two certificates for signing bootloaders, of which one is used exclusively for signing original Microsoft boot loaders. For any non-Microsoft boot loaders, for example other operating systems like Linux and also for the EgoSecure FDE, Microsoft offers a service to analyze and sign them with a certificate called "Microsoft 3rd Party UEFI CA".

Hardware manufacturers were previously allowed to trust by default the signature of this second certificate in their respective UEFI implementation or not. This was the case for almost every computer available on the market until 2022. Then Microsoft developed the certification Secured Core PCs for computers. Manufacturers who want to use this certification must meet several requirements, one of them being that the above-mentioned certificate "Microsoft 3rd Party UEFI CA" trust chain must not be enabled by default (but with BIOS option for enabling trust for non-Microsoft bootloaders). This results in other operating systems, but also the EgoSecure FDE not being able to boot with default Secure Boot configuration.

Solution

In the UEFI settings of most computers there is an option that allows to trust the certificate "Microsoft 3rd Party UEFI CA" again.

Here we list the settings known to us so far:

  • Lenovo: Security → Secure Boot → Allow Microsoft 3rd party UEFI CA
  • HP: Security → Secure Boot Key Management → Enable MS UEFI CA key
  • Dell: Boot Configuration → Enable Microsoft UEFI CA
  • Microsoft Surface / Pro: Security → Secure Boot configuration → Microsoft & 3rd party CA
  • Asus: Boot → Secure Boot → OS Type → Other OS
  • MSI: Security → Secure Boot → Image Execution Policy → Option ROM → Always Execute

More Information

In addition, there are computers where the manufacturer has not integrated the certificate "Microsoft 3rd party UEFI CA" into its UEFI implementation at all. In this case, the solution is to import this certificate afterwards. For instructions on how to accomplish this import, we must refer you to the respective manufacturer, because each manufacturer has its own procedure for installing a CA certificate. The official name of the required certificate is: Microsoft third-party Unified Extensible Firmware Interface Certificate Authority (also known as "Microsoft 3rd Party UEFI CA"). For more information, please contact the manufacturer of your PC on how to enable support for non-Microsoft bootloaders.

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    How-To
    Stage
    Draft
    Target Group
    Customer
  2. Tags
    1. EgoSecure
    2. FDE
    3. Secure Boot