So I got my new replacement mainboard installed. And windows installed just fine, even if your not it should not, as I didn’t check that option in Rufus to bypass secure boot.
But it looks like “secure boot” is disabled, as windows security, hwinfo & bios in start tab of Secure boot is confirming. Now is this bios skin a bit confusing, as the only option in that tab are to reset secure boot to factory default or delete secure boot files. I don’t see een enable secure boot. Maybe someone can point where I need to look or do?
ps, Someone from framework, please make a guide for this bios/skin with some basic info please.
However I just want to know, how to enable “Secure Boot” as it is disabled by default (yes I get why that is the default, with lixus community here).
But there are zero guides about this for the fw desktop, even though it seems like basic information.
Enforce Secure Boot is grayed out. Do I have to first have to inroll, pk, kek, dB so on? I don’t know. It’s been more than 10 years for me putting a system together.
Anyway, I’ll wait to see if this community can give me a answer. Or it will be contacting support again.
It looks like they are using the correct menu; Enforce Secure Boot is only present in the “Administer Secure Boot” section.
@Maddious You’re doing everything correctly. If you cannot toggle “Enforce secure boot”, and you have already tried erasing all secure boot settings and restoring to factory settings, that is not expected. There have been some bugs pertaining to this on other firmware verisons.
Your best bet will be to contact support.
The default configuration for a Framework device is to have secure boot turned ON with the Framework PK and KEK, as well as the two or three official Microsoft KEKs, enrolled.
You do not need to enroll your own keys to enable secure boot.
If you have a device where you cannot enforce secure boot without enrolling your own keys, that is not intended and you should contact support.
I have not tried to “rasing all secure boot settings and restoring to factory settings”, but even without trying there is NO pk, kek files and so on listed in those sub menu’s.
It’s long day for me, so I will not be working on this today.
But should I try tomorrow to do “restoring to factory settings” before contacting support?
I don’t know how “secure boot” works, plus there is almost zore documentation on this, or fw bios, unlike other companies that’s why I asked here first.
Thanks I know your a “Former” base on the permission group name on your forum account here. I fix that “your” to “fw”, anyway I do appreciate your responses.
It’s just that I like to know what I’m doing before doing it, especially with bios settings.
Just a finishing topic, as a “restoring to secure boot factory settings” did work.
But I did get a warning in event-viewer:
Updated Secure Boot certificates are available on this device but have not yet been applied to the firmware. Review the published guidance to complete the update and maintain full protection. This device signature information is included here.
DeviceAttributes: BaseBoardManufacturer:Framework;FirmwareManufacturer:INSYDE Corp.;FirmwareVersion:03.03;OEMModelNumber:Desktop (AMD Ryzen AI Max 300 Series);OEMModelBaseBoard:FRANMFCP06;OEMModelSystemFamily:Desktop;OEMManufacturerName:Framework;OEMModelSKU:FRANMFCP06;OSArchitecture:amd64;
BucketId: 44b77421efb17f86b5f2cc024b29bb3fbee5a861addfbd366080e36a80f56959
BucketConfidenceLevel: Under Observation - More Data Needed
Yes, I have not updated the bios to 3.0.4, because of what I’m reading about 3.0.4 on this forum, with long boot times, even for some windows users.
I’ll do some stress testing the coming days on 3.0.3, and see if I can just wait for 3.0.5 full release, not the beta. As for the secure boot certificates that needs a update on the bios level, may be that is already done in 3.0.4? or it will be done with a future bios update.
the updated UEFI secure boot certificates should be provided my Microsoft via windows updates, in much the same way they are through linux’s firmware manager’s lvfs distributions. the UEFI dbx key package is separate from the bios firmware, and once stages to install should just need a reboot to apply.
I suspect your reset of the factory settings reverted the keys to the ones that are baked into the base firmware so that message is just indicating the presence of a staged update and that issue shoudl resolve itself after a reboot (or possibly a few since Windows does suppress updates for a brief time after installation so as to not impact users rebooting for software install immediately after the OS install)