I restored the default settings to Secure Boot. Big mistake

By dorf
in Microsoft (Windows)

 Share

Recommended Posts

Rookie

dorf

Posted
Posted (edited)

I tried to get the latest secureboot certificate for my old Dell 7010 Optiplex machine.  
I restored the default settings to Secure Boot. Big mistake.
 Now when secure boot is on. The machine doesn't boot and complains about no booting devises. 

The computer's secure boot can't find where to boot and the information apparently has to be entered manually.
 Secureboot's settings are now years old and it can't find a new configuration. 
What could be done here?
There are plenty of files to choose from in the secureboot menu, but I don't know what to put there for each of the four

Windows 11 upgraded from 10..... originally who knows what (used machine)

without secureboot it booting normally

 

IMG_8256.JPG

Rising Star

Ixion

Posted
Posted

Appreciating this guide is for HP Laptops but here's how to update the UEFI certificate database manually whether the OEM supports it or not:

https://h30434.www3.hp.com/t5/Business-Notebooks/Enabling-new-UEFI-2023-CA-certificates-in-pre-2018-HP/td-p/9628370

  • Yonah, Alpha_Tay and Steven P.
  • Like 1
  • Thanks 2
Rookie

dorf

Posted
  • Author
Posted (edited)
On 21/06/2026 at 15:49, Warwagon said:

See if this article I wrote the other day works for you.

This might work, but the boot menu F12 only shows hdd and dvd+/- and Niks

In the bios all usb are enabled.

the usb stick is in place and in the boot menu it does not show up in the bios boot order.

Grand Master

+Warwagon MVC

Posted
  • MVC
Posted
On 22/06/2026 at 14:25, dorf said:

This might work, but the boot menu F12 only shows hdd and dvd+/- and Niks

In the bios all usb are enabled.

the usb stick is in place and in the boot menu it does not show up in the bios boot order.

In the boot options in the UEFI is set to legacy or CMS? It needs to be set to UEFI if it's not already.

Grand Master

+Edouard Subscriber²

Posted
  • Subscriber²
Posted

The laptop in the bedroom is an Acer with i7-10510U CPU. Acer's website states they will not be upgrading it so I had little choice other than disable secure boot.

I know next to nothing on these matters so hopefully it will be fine.

Veteran

Taliseian

Posted
Posted

There is a long thread (128pgs and counting) that I've been following over at ElevenForums that has a method for updating Secure Boot even if there is no BIOS upgrade.

I've used this method and had zero issues.

NOTE:  I do not take any responsibility if this or any other Secure Boot method bricks your system -- YMMV!  Read carefully before using!

Neowinian

Kolakid60

Posted
Posted

I just dealt with a similar problem on my dell T5810.  I learned when you reset your secure boot settings, it resets the 4 TPM encryption keys. Which in-turn causes secure boot to fail.

When TPM (is not cleared by a user in bios) and secure boot keys (are not reset by user) then the system uses the TPM encryption keys to create a digital signature for your boot hard drive.

Once created, this is what allows you to boot up in secure boot mode.  So now, your only recourse is to boot up with secure boot off, and backup your existing data.

Following that, you must reload windows to recreate a new secure boot key signature.  

 

My Error Message - Operating System Loader Signature not found in secure boot database ('db')

Reason - This message happens when you alter your motherboards secure boot keys or clearing out your TPM firmware in bios. 

Solution - When you alter the secure boot keys or update your TPM firmware, you must re-install the windows operating system in order to get secure boot and TPM working again.  

Note1: You can turn off secure boot mode, and boot into your system in order to backup your data.

Note2: Before clearing out TPM keys, backup your BitLocker recovery keys. Because clearing out the TPM may lock you out of BitLocker-encrypted drives. 
If you don't know your BitLocker recovery keys, you can also access them by signing into your Microsoft account to get them.

Explanation

Secure Boot and a Trusted Platform Module (TPM) work together to create an impenetrable hardware-based security chain. 
While Secure Boot acts as the gatekeeper by verifying code signatures, the TPM acts as a tamper-resistant vault that records and seals your system's boot state.

How They Work Together
1. The Verification Process (Secure Boot): When you turn on your computer, the UEFI firmware checks the digital signature of every piece of software in the boot chain (bootloader, kernel, and core drivers) against a stored database of trusted keys. If software is unsigned or tampered with, Secure Boot blocks it.

2. The Measurement Process (TPM): Alongside this, the system performs "Measured Boot". As each stage of the boot process executes, it generates a unique cryptographic hash. These hashes are sent to the TPM, which stores them securely in internal registers.

3. Sealing Data: The TPM uses these "measurements" to lock/unlock encryption keys (like those used for BitLocker). If someone alters your system files or bypasses Secure Boot, the hash measurements change, and the TPM will refuse to release the decryption keys.

4. The Role of UEFI
To use these features together, your motherboard's BIOS must be operating in UEFI mode rather than Legacy/CSM. UEFI provides the environment where Secure Boot keys are validated and the measurements are first logged.

 

Experienced

erpster3

Posted
Posted (edited)
On 21/06/2026 at 03:23, binaryzero said:

Leave Secure Boot off, the Optiplex 7010 isn't getting a firmware update to support the changes...

yes AND no

the "original" or plain/normal Optiplex 7010 won't be getting any more new firmware updates BUT the Optiplex SFF/SFF Plus {small form factor}, Micro/Micro Plus & Tower/Tower Plus 7010 editions DO get new updates such as this new one

On 22/06/2026 at 03:15, Ixion said:

Appreciating this guide is for HP Laptops but here's how to update the UEFI certificate database manually whether the OEM supports it or not:

https://h30434.www3.hp.com/t5/Business-Notebooks/Enabling-new-UEFI-2023-CA-certificates-in-pre-2018-HP/td-p/9628370

 

and here are similar guides from the Dell web site for Dell systems:

https://www.dell.com/support/kbdoc/en-us/000390990/secure-boot-transition-faq

https://www.dell.com/support/kbdoc/en-us/000347876/microsoft-2011-secure-boot-certificate-expiration

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • NVIDIA AI Trained Itself on a 30B Model: Corrected Its Own Broken Metric Mid-Run

      By +TRS-80 · Posted

      Autonomous post-training loop placed 8th of 4,000 and then rewrote its own evaluation strategy. An autonomous AI system built by researchers at Amazon's A-EVO-Lab completed a full post-training run on a 30 billion parameter NVIDIA Nemotron model — with no human in the loop, across four rounds running over multiple weeks — and then did something its designers had not planned for: it detected that its own internal evaluation metric had become misleading and redesigned the search strategy it was using to improve itself. https://www.techtimes.com/articles/319123/20260626/nvidia-ai-trained-itself-30b-model-corrected-its-own-broken-metric-mid-run.htm
    • Elon Musk, The New King of Adult Content

      By +TRS-80 · Posted

      Grok Adult Content Tops 10 Billion Images Monthly More than half of all traffic flowing through Grok, Elon Musk's flagship AI product, now comes from users requesting pornographic images, explicit videos, and **** roleplay https://www.techtimes.com/articles/319142/20260626/grok-adult-content-tops-10-billion-images-monthly-xai-engineers-admit-csam-has-no-fix.htm
    • Ford execs say they made a mistake when they replaced human engineers with AI

      By naap51stang · Posted

      If Ford would stop hiring SUITS to run the company, and put CAR GUYS back in charge perhaps they could do better. Heck, the only CAR they produce today is the Mustang. Hey Ford! Not everyone needs/wants an overpriced SUV or pickup truck that is so tall you have to have a step ladder to get in and out of it.
    • SpaceX reportedly plans a Starlink mobile service for U.S. consumers

      By naap51stang · Posted

      Amazing how some will just jump all over something. Probably the same people that thought Musk was a "tech god" before he saddled up with "bad orange man". Before, they worshiped at his feet, including a lot of so called hollywood types. Now, because he fell off the plantation truck, they toss him under the bus.
    • The best controller for XBOX and PC is down to the lowest price

      By Jaybonaut · Posted

      How does the disc d-pad work for fighting games? Has anyone had personal experience with that specific question?

  • Recent Achievements

    • One Year In
      bernmeister earned a badge
      One Year In
    • Week One Done
      Scoobystu earned a badge
      Week One Done
    • Week One Done
      tuben earned a badge
      Week One Done
    • First Post
      OffsetAbs earned a badge
      First Post
    • Reacting Well
      OffsetAbs earned a badge
      Reacting Well

  • Popular Contributors

    1. 1
      +primortal
      479
    2. 2
      +Edouard
      222
    3. 3
      PsYcHoKiLLa
      157
    4. 4
      Steven P.
      75
    5. 5
      FloatingFatMan
      71
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!