bootit uefi broke booting, won't boot USB without secure disabled

[orangemonkey]

On a brand new clean win10 install (Microsoft Surface Pro 4), I installed bootit uefi with default settings (in particular 'yes' to the first question (shown below)... I think that's important vs 'no' which puts boot files in bootit directory. But I could be wrong, this is just a guess).

Q: Install boot files to the default UEFI boot directory?
Yes.

I reboot a couple time to see working, but didn't make any changes. All is fine.

Now the problem begins... I then uninstalled bootit per the menu selection within bootit. All seems normal and I reinstalled win10 twice (getting perfect baseline).

But, now the system will not boot any USB thumb drive except the microsoft installer usb stick. When I go into UEFI settings and downgrade secure boot from Microsoft signed, to Microsoft + 3rd party, it now boots other thumb sticks.

To troubleshoot, I also downloaded the Microsoft Surface emergency repair stick, which is just a special win 10 installer stick that supposedly also reflashes the UEFI firmware (I downloaded the specific file for my make and year of the Surface Pro 4, vs other years). Thinking if the whole system is flashed back to factory, it'd be fine. But after win10 installed, bootit installer stick still won't boot unless I change the settings in UEFI firmware to allow 3rd party OS.

Since this is booting a non microsoft signed OS from a USB stick, that setting shouldn't be invoked, but it is. And it was before installing bootit and uninstalling bootit. Any ideas?

edit: fast start was disabled before bootit install.

[TeraByte Support]

In secure boot mode, you can only boot non-Microsoft items signed by Microsoft if that Microsoft + 3rd party option is enabled, including BootIt UEFI. If it's Microsoft only, then it only boots Microsoft software that are signed with Microsoft's own internal certificate. BIU has no control over the setting.

[orangemonkey]

Yeah, that makes sense, but I'm pretty sure I booted the installer stick in full secure mode. I'm pretty certain of this, but leave open the possibility I'm remembering wrong as I was playing back and forth with that setting in the last week. I also booted from a macrium stick last week in secure mode (again I think I remember that right), but that macrium stick was made from the same windows installation.

Does it matter if the installer stick is made on the same machine? Does the installer pull some artifacts from the win 10 install? Like bitlocker keys or signatures or whatever it needs so that USB stick will boot on the same machine in secure mode?

On another computer, I couldn't resize the win 10 main partition to shrink it, but that bootit installer stick was made from a different computer. So testing a theory, I wiped and reinstalled, and then built the bootit install disk from the same win 10 installation, and IFL stick too from the same win10 installation. Later I was able to resize. Is that a fluke, or connected to how the installer sticks are made?

[TeraByte Support]

If it did, it wasn't supposed to, the 3rd party option has to be enabled.

it may have been dirty and rebooted fixed it.

[orangemonkey]

Ok thanks. Can you answer if makedisk pulls specific info (drivers, bit keys, etc...) from the host OS when making a bootable thumbstick?

[TeraByte Support]

BootIt is self contained. Makedisk doesn't pull anything from the OS.

[orangemonkey]

Both the manual for IFL and BootIT UEFI both say booting from USB sticks is supported in secure mode.

BootIT "BootIt UEFI supports being booted and installed on UEFI systems configured in UEFI mode. Secure
Boot is also supported."

IFL "Image for Linux (IFL) supports booting via CD or USB flash drive on UEFI systems (Secure Boot is supported)".

The installation of BootIT UEFI, and then uninstallation of BootIT UEFI has caused my surface pro to break in a semi serious fashion.

Here is the error I get.

Within windows 10, I use the "restart to troubleshoot mode". And after reboot a blue screen comes up with simple large button options.
1. Click on "troubleshoot".
2. Click on "advanced options".
3. Click on "UEFI Firmware Settings".
4. Click on "Restart to change UEFI settings". (see first pic below)

After reboot I get the follow error.

rebootuefi.jpg (160.22 KiB) Viewed 3502 times

uefierror.jpg (123.41 KiB) Viewed 3502 times

After clicking on OK in the error message, it takes me to the UEFI firmware as if nothing is wrong. And, this error is persistent. I even reimaged the entire drive with a factory reset USB stick from microsoft specific to this year/make of Surface pro. After new Win 10 install and repeat steps above, same error.

Combined with this error and that it won't boot IFL from USB stick without turning off secure mode, BootIT did something in the process of installing and uninstalling, and could use some assistance please.

[TeraByte Support]

I just tested a surface pro 7, installed good, attempt to boot default item, got the bitlocker recovery key as expected due to tpm, held power button to turn off, it rebooted instead, maintenance, boot edit, change the boot item to enable UEFI BM, ok, booted, booted to Win10 fine. Reboot, maintenance, tools/uninstall, Remove BootIt UEFI, ok, rebooted, back to windows fine.

I presume there is something else at play, maybe boot back to the firmware (hold down the left volume button while powering on or reboot) and check boot devices (swipe left to boot from it) or reset the firmware to default. If you want to look in the efi system partition you should see the /efi/boot/bootx64.efi file as well as the microsoft directory.

Also, if you had shutdown with fast startup enabled, then booted and uninstall it may be the file system was dirty and needs chkdsk /f ?

[orangemonkey]

Thank you much for all that work. For the most part, this is resolved. One mistake in work above was I didn't follow the create 'surface recovery usb' close enough and some files were left off. I did that again and did see the error again, but now I can't replicate it. The error was never a problem because the computer always booted to win 10 or my IFL partition from bootit. The only way to replicate the error was to shift-restart in windows, click troubleshoot, and change uefi firmware. Only then did it ever come up, and immediately after clicking OK, firmware launched. Anyway, can't replicate it anymore.

Thanks for the support. Anybody who reads this in the future can largely ignore this, as this is very isolated corner case.