Secure Boot Error

[iamnixster]

Okay, so my desktop had windows 10 pro installed from usb using rufus sometime last year. The computer is now running latest FCU with no problems and I am running bitlocker on all partitions. My desktop has one Samsung SSD for the OS and a HDD for storage. I downloaded the latest iso the other day and decided to have a dual boot by installing WIN10 S (yes the "store" restricted version coz I like to play around). Now I installed the W10 S from usb without the help of rufus and everything went smooth.

I should also mention that I had disconnected the ssd before installing the OS on HDD so that these two could run independently. After installation, I reconnected the ssd and then ran into a problem. The PC just refuse to boot into my old W10 installation. It would show "attempting repair" message and then fail. I initially thought it was because of bitlocker and so I disabled bitlocker but no change. I then disabled secure boot in bios and now the system works fine. I read somewhere on WC that efi installation done from rufus makes it impossible for secure boot to work. I just want to know if there is anything I can do to re-enable secure boot. Or do I need to do a clean install on SSD too?

P.S: This is my first time creating a thread on WC. So my apologies if the post is too long.

 

[DOGC_Kyle]

For Secure Boot you need to first enable Secure Boot in BIOS, make sure Legacy support (CSM/Compatibility Support Module) is disabled, then install Windows from a UEFI USB (such as from the Media Creation Tool).

Rufus won't make the proper EFI setup on the USB (as far as I can tell). Don't use it for Windows 10, the official Media Creation Tool is far more useful (you can include all editions, all architectures, and it formats the USB properly, all in one tool).

Also you should always have Secure Boot enabled on Windows 10, or you may run into activation and driver issues. This depends on individual systems, but it's best to just avoid any issues by keeping Secure Boot enabled at all times.
You can still multi-boot with Secure Boot (you should boot into your main OS first, then let Windows Boot Manager restart into any other OS you have).

 

[iamnixster]

For Secure Boot you need to first enable Secure Boot in BIOS, make sure Legacy support (CSM/Compatibility Support Module) is disabled, then install Windows from a UEFI USB (such as from the Media Creation Tool).

Rufus won't make the proper EFI setup on the USB (as far as I can tell). Don't use it for Windows 10, the official Media Creation Tool is far more useful (you can include all editions, all architectures, and it formats the USB properly, all in one tool).

Also you should always have Secure Boot enabled on Windows 10, or you may run into activation and driver issues. This depends on individual systems, but it's best to just avoid any issues by keeping Secure Boot enabled at all times.
You can still multi-boot with Secure Boot (you should boot into your main OS first, then let Windows Boot Manager restart into any other OS you have).

Thanks for responding. So what you're saying is that its better to do a clean install? The secure boot was always on until I installed OS on the second drive. I was hoping if I could just reinstall the efi partition alone to fix this?

To clarify,

My SSD has the W10 Pro while HDD has the W10 S. With secure boot enabled, HDD boots with no issues. It is the SSD that's not booting with secure boot enabled.

I don't mind doing a clean install. Its just that (as mentioned above), I wanted to know if there is an easier way out.

Also, I prefer to keep two OS's separate i.e I can choose which OS to boot into from BIOS and not run into windows boot manager.

 

[DOGC_Kyle]

I'm not sure if you can enable Secure Boot without a clean install. You'd at least need to reformat the drive, as Secure Boot needs GPT partitions. No way to enable that without reformatting.

If you need the OSs separate, you can't exactly use Secure Boot. Part of the process involves the BIOS handing off to the OS which means you can only have one for it to be linked to. This main OS can then restart into another OS.
You should still leave CSM/legacy disabled if you are using Windows 8/8.1/10. Modern OS's should use UEFI mode.

 

[iamnixster]

Well I went ahead and clean installed W10 pro. Things were looking good and I could boot into both OSs with secure boot enabled. But now I ran into a new issue and Win10 was throwing me errors showing that all apps are blocked by some drive guard and it wouldn't let me open any .exe files. Long story short, my W10 pro is now acting as a W10 S. Even clicking start button doesn't do anything. I rebooted into W10 S and went back to W10 pro and now the pro wouldn't boot.

So now I have decided to abandon the dual boot idea and will wipe everything to install just one OS. My desktop is important to me and I can't afford to do anymore experiments on it. My whole intention was to have a backup OS in case of a failure on my main drive. Anyway thanks for all the tips.

 

[iamnixster]

UPDATE: Well, it appears my desktop has now become useless. I can't install anything as my PC is literally a Windows 10 PRO acting like a Windows 10 S. I have no clue on how to proceed next. A bit of online search suggests to disable "device guard" but so far it has had no effect.

Anyone got any ideas, please help me out.

 

[DOGC_Kyle]

Device Guard should only be present on Windows 10 Enterprise.

Are you sure it's Windows 10 Pro that you installed?

Does anything that looks related show in Settings > System > About

 

[iamnixster]

Yes that's what I was wondering. Mine is a home computer.

Anyway, it seems the issue has now been solved. Here's what I did.

I disconnected the HDD and deleted all partitions on SSD and did a clean install (again). After installation completed, the error (device guard) showed up as usual. Now, outta curiosity I disabled secure boot in bios and rebooted my PC. And voila, everything works just as it should. Before proceeding any further, I went back into BIOS and re-enabled secure boot. After reboot, its still working fine as of. I hope it stays okay. Will update if there's any change.