[SOLVED] FW16 does not boot Windows after updating to BIOS 3.03

System setup:
/dev/nvme0n1 - Ubuntu 22.04 LTS, fully updated
/dev/nvme0n1p1 - ESP, /boot/efi
/dev/nvme0n1p2 - ext4, /boot
Remainder is LVM-on-LUKS

/dev/sda - Windows 11 Pro (1 TB expansion card)
/dev/sda1 - ESP
/dev/sda2 - MSR
Remainder is NTFS with BitLocker (not using TPM)

Secure boot is enabled.
Main bootloader is GRUB, loads Linux by default or chainloads Windows ESP via menu entry.

Until this morning, everything worked correctly, and I could boot whichever OS I pleased. I booted into Windows 11 in order to install the BIOS update, but after the update, I can’t boot Windows any more.

(The BIOS update suspended BitLocker on the Windows 11 drive, but it does not use the TPM and should not have to be suspended. That said, I didn’t stop it from doing so, since it will unsuspend once I can boot back into Windows again.)

Specifically, Ubuntu loads correctly via GRUB. However, when I select the entry that would normally load Windows 11, I get several lines of errors, all of the general form:

error: Secure Boot forbids loading module from (hd0,gpt2)/grub/x86_64-efi/exfat.mod.

This ends in the device not being found, and the Windows bootmgfw.efi not being found.

Ubuntu continues to load correctly. I have reinstalled GRUB (using grub-install /dev/nvme0n1 and then update-grub). GRUB detects the Windows Boot Manager correctly and adds the menu entry, but I still cannot load Windows 11.

I’m sure I could temporarily “solve” this by disabling Secure Boot, but I don’t see why that would be necessary. Clearly, GRUB is installed as it should be because it can load Ubuntu correctly with Secure Boot enabled. But the GRUB modules needed to chainload Windows are now being rejected, even though os-prober runs and detects the installation and adds the menu entry just as it has previously.

I’m assuming I need to do something like re-register GRUB’s signing key, but I’m not sure how. mokutil shows I still have the previous MOKs loaded, and attempting to enroll any outstanding keys tells me I’m not using any DKMS modules, so I think I’m barking up the wrong tree there.

After more digging around, I discovered the problem was nothing to do with Secure Boot, GRUB, or signatures. The problem was the BIOS no longer recognized the inserted expansion card, even though Ubuntu did.

To resolve the issue, I booted into the BIOS by pressing F2 on boot and entering setup. The SSD was the only device detected. So I removed the expansion card and rebooted, pressing F2 again to enter the BIOS, but this time going into the boot manager. Again, the SSD was the only device listed. If I inserted the expansion card while on this screen, the BIOS suddenly recognized it. I made no changes and exited the boot manager, continuing to boot normally into GRUB, which was then able to chainload into Windows successfully.

I can only speculate that GRUB was attempting to find the device, failed (because the BIOS wasn’t detecting it after update), attempted to load other modules that it normally would not have to load (triggering the error messages), and finally printed the message about not being able to find the device. This made it seem as though the module failures caused the inability to find the device.