System found unauthorized changes on the firmware

14

5

I have a PC with an Asus motherboard running Windows 7 Pro. Yesterday I installed latest Windows updates, restarted, and shortly afterwards hibernated the machine.

This morning on un-hibernating I got a black screen with:

The system found unauthorized changes on the firmware,operating system or UEFI drivers

It also said:

Go to BIOS Setup > Advanced > Boot and change the current boot device into other secured boot devices

The only way I was able to get it to boot was by changing the BIOS secure boot OS to 'other OS' i.e. I think this means secure boot is effectively disabled.

There have been no hardware changes to this machine recently (last thing I changed was adding more RAM about 3 weeks ago, and it has successfully rebooted multiple times since then). There is no CD/DVD or bootable USB device connected.

I'm running a full MSE scan just to be sure / paranoid. Is it possible the Windows updates caused this? Should I be concerned about disabling secure boot? I've tried setting it back to enabled however the original message reappears.

Nick Baker

Posted 2016-03-19T09:26:27.120

Reputation: 243

3

Can't answer because of reputation, but likely that this was caused by optional Windows update KB3133977 which was a recently released Bitlocker fix (2016/03/14) that affects boot files: https://support.microsoft.com/en-gb/kb/3133977 and would change the signature, leading to the warning. If that's the case, this would be benign.

People reporting it tend to have ASUS motherboards: sources https://hardforum.com/threads/secure-boot-suddenly-stopped-working-with-windows-7.1894722/ and http://www.sevenforums.com/system-security/393432-help-uefi-bios-os-compromised.html

– Steven Maude – 2016-04-11T19:20:59.047

And you can apparently fix it without disabling Secure Boot (though as mentioned that's not officially supported) in the BIOS by System Restore from a previous backup, then not installing KB3133977. – Steven Maude – 2016-04-11T19:26:56.483

(searching for KB3133977) this thread https://hardforum.com/threads/secure-boot-suddenly-stopped-working-with-windows-7.1894722/#post-1042205964 seems to suggest ASUS are using a non-standard secure boot implementation...

– Nick Baker – 2016-04-12T08:23:11.573

'Microsoft has been in touch to say:

Asus shipped some main boards with their own implementation of a Secure Boot-like feature for Windows 7. Secure Boot is a feature introduced by Microsoft in Windows 8 and also supported by Windows 10. Prior to releasing the update, we worked closely with Asus to help them put support in place for their customers. For customers experiencing an issue after installing the update, we recommend they contact Asus.' see http://www.theregister.co.uk/2016/05/06/microsoft_update_asus_windows_7/
 – Nick Baker  – 2016-05-14T08:55:28.110

Answers

9

Windows 7 does not support Secure Boot, leave it off.

"Secure Boot is a security standard developed by members of the PC industry to help make sure that your PC boots using only software that is trusted by the PC manufacturer."

When the PC starts, the firmware checks the signature of each piece of boot software, including firmware drivers (Option ROMs) and the operating system. If the signatures are good, the PC boots, and the firmware gives control to the operating system."

The following versions of Windows support Secure Boot: Windows 8.1, Windows Server 2012 R2, Windows RT 8.1, Windows 8, Windows Server 2012, and Windows RT."

https://technet.microsoft.com/en-us/library/hh824987.aspx

Moab

Posted 2016-03-19T09:26:27.120

Reputation: 54 203

Thanks for the answer - sounds like I should not be too concerned from a security point of view, however it would be nice to know what caused this... Either something (incorrectly) turned secure boot on in the BIOS, or something changed a signature? – Nick Baker – 2016-03-21T08:31:09.070

3Oddly, soon after I installed Windows 7 on my computer with an ASUS motherboard, it did work with Secure Boot enabled; but recently it has stopped working this way. I suspect that Microsoft may have released one or more updates to its Windows 7 boot loader, some of which are signed and some of which are not signed. If so, that's very annoying. Another possibility is some sort of bug or inconsistency in ASUS' Secure Boot implementation that's causing either false alarms or misses. – Rod Smith – 2016-03-21T14:04:25.810

1I just installed a bunch of windows updates on April 13 2016, and oddly enough, I go this same error message (never seen it before). In my BIOS, I had to change the OS type to "other" under my secure boot options (I didn't seem to have an option to disable it), and that worked for me. Thanks. – http203 – 2016-04-14T13:14:30.330

Asked: 2016-03-19T09:26:27.120

Viewed: 69 237 times

Active: 2016-03-22T17:37:16.720