Boot Failure: Secure Boot Error (“Did Not Authenticate”, “No Signature”)

Problem:

Attempting to boot TeraByte Boot Media supported on UEFI Systems with Safe Boot enabled results in messages similar to the following:

Operating System Loader has no signature. Incompatible with SecureBoot.
Selected Boot Image Did Not Authenticate.
Invalid Signature Detected.
Selected Boot Device Failed.
Secure Boot Violation.
Invalid Signature Detected.
The system found unauthorized changes on the firmware, operating system, or UEFI drivers.
Secure Boot Failure.
The system has detected an invalid signature.
Secure Boot: Unauthorized Image.

Cause:

Microsoft’s Secured-core PC requirements no longer allow systems to run UEFI code signed using the Microsoft 3rd Party UEFI CA (2011). As a result, major PC manufactures now ship Windows-based systems with the Microsoft UEFI CA 2011 certificate disabled by default.
TeraByte Boot Media is signed by Microsoft using this certificate.

Workaround:

Use TBWinPE/RE which boots into Windows. Microsoft Windows is signed with a different Certificate, which remains enabled by default on all major PC systems.

Solution:

To use TeraByte Boot Media, you must enable the Microsoft UEFI CA 2011 certificate in your system’s BIOS or UEFI setup. The steps vary by manufacturer. Examples:

Dell
- Security → Enable Microsoft UEFI CA
Dell
- Boot Configuration → Enable Microsoft UEFI CA
HP
1. Go to Security → BIOS Secure Start
  - Uncheck Sure Start Secure Boot Keys Protection
  - Press Esc, exit BIOS, and save changes
2. Go to Security → Secure Boot Configuration
  - Enable MS UEFI CA key
  - Press Esc, return to BIOS Secure Start
  - Re-check Sure Start Secure Boot Keys Protection
  - Press Esc, exit BIOS, and save changes
HP
- Advanced → Secure Boot Configuration → Enable MS UEFI CA key
Lenovo ThinkPad
- Security → Secure Boot Configuration → Allow Microsoft 3rd Party UEFI CA
Microsoft Surface Pro
- Secure Boot → Select Microsoft & 3rd Party CA

Was This Article Helpful?