[issue]: Ventoy refuses to boot with Secure Boot on Dell Latitude

[TechySkills]

Official FAQ

• [X] I have checked the official FAQ.

Ventoy Version

1.0.99

What about latest release

Yes. I have tried the latest release, but the bug still exist.

Try alternative boot mode

Yes. I have tried them, but the bug still exist.

BIOS Mode

UEFI Mode

Partition Style

MBR

Disk Capacity

64GB

Disk Manufacturer

Kingston

Image file checksum (if applicable)

Yes.

Image file download link (if applicable)

https://www.microsoft.com/software-download/windows11?msockid=25005cd7c01065343308484cc1606434

What happened?

Ventoy refuses to boot with UEFI Secure boot ON, on a Dell Latitude E5540.

Gives some weird error when I boot into the USB from BIOS:

1st Error: Failed to open \EFI\BOOT\ - Not Found Failed to Load Image || - Not Found start_image() returned Not Found, falling back to defualt loader.

Then it boots to a blue Security Violation Screen, and If only the Online Tutorials worked... I tried what the online tutorials said, and pressed enter, but it gave another error and straight up rebooted instead of going to MOKManager...

2nd Error: Failed to load image: Security Policy Violation start_image returened Security Policy Violation

A video is attached:

https://github.com/ventoy/Ventoy/assets/82161063/f55e5748-5f5f-4529-a4f6-751b7beff7c9

[ossdesign]

I have the same problem with Dell laptops at work. I used to get the option to enroll the Ventoy keys at first Ventoy boot, then it reboots fine into Ventoy. I am no longer given that option, just fails as you describe.

There was another issue posted on this not too long ago, actually came back here to find it. What does work is to change Secure Boot in the BIOS/UEFI from Deployed Mode to Audit Mode, then save and reboot. You still get those initial errors show (before the blue screen) but then boots into Ventoy.

I don't know much about details with Secure Boot, but my basic understanding is that in audit mode it detects and logs the errors but does not block the boot process (in essence, you are auditing things!) Not sure what the security implications are and likely after install you can switch back to deployed mode if you want as the newly installed OS boot UEFI shim (or whatever) should have valid keys.

Why Ventoy no longer works as used to when you could enroll the keys I do not know. I also do not know what issues come from enrolling the keys. On a plus side, this has got me digging into Secure Boot a little to try and better understand it!

[7krasov]

Having the same error messages as on video 1.0.99 Dell Transcend 8Gb UEFI mode Secure Boot Enabled

[ErrorCode400]

Either turn off secure boot in UEFI/BIOS or enable the secure boot support option in Ventoy

[asheroto]

This issue is identical to mine. Using a Dell OptiPlex 3020.

https://github.com/user-attachments/assets/843da01a-9ed4-41ee-9263-5fc597469782

---

Either turn off secure boot in UEFI/BIOS or enable the secure boot support option in Ventoy

That is okay as a workaround, but it doesn't fix the issue itself. 😊 With most computers there is an option to perform MOK management.

[TechySkills]

Uh.. i fixed the issue without changing anything but just downgrading one version aka 1.0.98 Regards TechySkills

On Thu, Jul 11, 2024 at 8:34 PM OssDesign @.***> wrote:

I have the same problem with Dell laptops at work. I used to get the option to enroll the Ventoy keys at first Ventoy boot, then it reboots fine into Ventoy. I am no longer given that option, just fails as you describe.

There was another issue posted on this not too long ago, actually came back here to find it. What does work is to change Secure Boot in the BIOS/UEFI from Deployed Mode to Audit Mode, then save and reboot. You still get those initial errors show (before the blue screen) but then boots into Ventoy.

I don't know much about details with Secure Boot, but my basic understanding is that in audit mode it detects and logs the errors but does not block the boot process (in essence, you are auditing things!) Not sure what the security implications are and likely after install you can switch back to deployed mode if you want as the newly installed OS boot UEFI shim (or whatever) should have valid keys.

Why Ventoy no longer works as used to when you could enroll the keys I do not know. I also do not know what issues come from enrolling the keys. On a plus side, this has got me digging into Secure Boot a little to try and better understand it!

— Reply to this email directly, view it on GitHub https://github.com/ventoy/Ventoy/issues/2902#issuecomment-2223262316, or unsubscribe https://github.com/notifications/unsubscribe-auth/ATS23J2KDXT4C5NF6YWPIHDZL2QZ5AVCNFSM6AAAAABKO753W6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMRTGI3DEMZRGY . You are receiving this because you authored the thread.Message ID: @.***>

[TechySkills]

This issue is identical to mine. Using a Dell OptiPlex 3020.

VID20240731155335.1.mp4

Either turn off secure boot in UEFI/BIOS or enable the secure boot support option in Ventoy

That is okay as a workaround, but it doesn't fix the issue itself. 😊 With most computers there is an option to perform MOK management.

This was exactly my error, but I fixed it by downgrading to 1.0.98 it is a ventoy fault i dont know what they changed but it works with 1.0.98, try with that 😉

[asheroto]

This was exactly my error, but I fixed it by downgrading to 1.0.98 it is a ventoy fault i dont know what they changed but it works with 1.0.98, try with that 😉

Sounds like a workaround for now. Not sure what changed in it. Definitely some new feature it sounds like. @ventoy

[TechySkills]

Yup, A new feature which broke the secure boot. Regards TechySkills

On Mon, Aug 12, 2024 at 11:45 PM asheroto @.***> wrote:

This was exactly my error, but I fixed it by downgrading to 1.0.98 it is a ventoy fault i dont know what they changed but it works with 1.0.98, try with that 😉

Sounds like a workaround for now. Not sure what changed in it. Definitely some new feature it sounds like. @ventoy https://github.com/ventoy

— Reply to this email directly, view it on GitHub https://github.com/ventoy/Ventoy/issues/2902#issuecomment-2284687187, or unsubscribe https://github.com/notifications/unsubscribe-auth/ATS23JZWGYOSB7XSQEXHN4TZRD7FHAVCNFSM6AAAAABKO753W6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEOBUGY4DOMJYG4 . You are receiving this because you authored the thread.Message ID: @.***>

[ErrorCode400]

People report that they can’t enroll the keys on their Secured-core PCs.

https://forums.ventoy.net/showthread.php?tid=2896&highlight=enroll+key

It affects all Surface devices, Dell, and Lenovo’s Secured-core PCs. If your PC is Secured-core and you want to boot with secure boot enabled, disable the “Microsoft UEFI CA” option in the BIOS setup. I’m not sure if it’s safe to disable it.

https://forums.ventoy.net/showthread.php?tid=2896&page=2&highlight=enroll+key

If you’re not sure whether your PC is Secured-core, just Google your model or check to see if there’s the “Microsoft UEFI CA” option in the BIOS setup.

[asheroto]

That may be a good workaround, but I don't know if that's that's the "fix" for it. 😊

Especially since previous versions seem to work fine.

[ErrorCode400]

That may be a good workaround, but I don't know if that's that's the "fix" for it. 😊

Especially since previous versions seem to work fine.

What's your model?

[asheroto]

The computer I experienced the issue on is a Dell OptiPlex 3020. Looks like Dell Latitude E5540 has also been mentioned here, so not just one model affected.

[TechySkills]

Yes I am the guy with the E5540... and uh I dont think so I have ever seen a UEFI CA option ever before on my Bios Regards TechySkills

On Tue, Aug 13, 2024 at 2:59 AM asheroto @.***> wrote:

The computer I experienced the issue on is a Dell OptiPlex 3020. Looks like Dell Latitude E5540 has also been mentioned here, so not just one model affected.

— Reply to this email directly, view it on GitHub https://github.com/ventoy/Ventoy/issues/2902#issuecomment-2284974982, or unsubscribe https://github.com/notifications/unsubscribe-auth/ATS23J2NR2ECBGTCQEHDBLTZREV37AVCNFSM6AAAAABKO753W6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEOBUHE3TIOJYGI . You are receiving this because you authored the thread.Message ID: @.***>

[ErrorCode400]

Yes I am the guy with the E5540... and uh I dont think so I have ever seen a UEFI CA option ever before on my Bios Regards TechySkills … On Tue, Aug 13, 2024 at 2:59 AM asheroto @.> wrote: The computer I experienced the issue on is a Dell OptiPlex 3020. Looks like Dell Latitude E5540 has also been mentioned here, so not just one model affected. — Reply to this email directly, view it on GitHub <#2902 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/ATS23J2NR2ECBGTCQEHDBLTZREV37AVCNFSM6AAAAABKO753W6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEOBUHE3TIOJYGI . You are receiving this because you authored the thread.Message ID: @.>

If you don't see that option in your BIOS, that means your model is not "Secured-core". People aren't aware that they use Secured-core PCs, and previous versions won't work. They need to disable the option if they want to boot with secure boot enabled. Before doing that, I recommend they make a backup.

[asheroto]

Secured-core PCs are fairly new, and both of these models are not. 😊

But I will keep a lookout on newer PCs for that option you mentioned.

I think this is still a bug, especially since previous versions work fine with the same computers.

[ErrorCode400]

Secured-core PCs are fairly new, and both of these models are not. 😊

But I will keep a lookout on newer PCs for that option you mentioned.

I think this is still a bug, especially since previous versions work fine with the same computers.

I believe it's a bug. Hopefully, they fix it in the next version.