Secure Boot Violation — Security Boot Fail or Invalid Signature Detected
About Secure Boot Violation
Fix Secure Boot violation errors that prevent Windows from booting, caused by unsigned drivers, modified bootloader, or incorrect BIOS settings. This guide covers everything you need to know about this topic, including common causes, step-by-step solutions, and answers to frequently asked questions.
Here are the key things to understand: Secure Boot verifies that all boot software (bootloader, drivers, OS kernel) is signed with trusted keys. A violation means unsigned or improperly signed code was detected during the boot process. Secure Boot is required for Windows 11 and is part of the UEFI specification. Linux dual-boot setups can trigger Secure Boot violations if the Linux bootloader is not signed. Some hardware drivers and firmware updates may temporarily break Secure Boot chain of trust. Understanding these fundamentals will help you diagnose and resolve this issue more effectively.
The most common reasons this occurs include: Unsigned or modified bootloader detected (common with Linux dual-boot or custom bootloaders). BIOS/UEFI firmware update changing the Secure Boot keys database. Driver or kernel not properly signed after a Windows update. MOK (Machine Owner Key) not enrolled for third-party signed bootloaders. Identifying the root cause is the first step toward finding the right solution.
To resolve this, follow these recommended steps: If Windows will not boot: enter BIOS/UEFI and temporarily disable Secure Boot to boot normally. Check Secure Boot status in Windows: msinfo32 > System Summary > Secure Boot State. For Linux dual-boot: enroll the MOK (Machine Owner Key) using mokutil --import key.der. Re-enable Secure Boot after fixing the signature issue: BIOS > Security > Secure Boot > Enable. If caused by a driver: update or remove the unsigned driver from Safe Mode. If these steps do not resolve the issue, consider consulting additional resources or a qualified professional.
This article is part of our Windows Error Codes collection on Error Codes Wiki. We provide comprehensive, up-to-date information to help you find solutions quickly.
Quick Answer
Is it safe to disable Secure Boot?
Temporarily for troubleshooting, yes. Permanently disabling Secure Boot reduces security as any bootloader code can run. Windows 11 requires Secure Boot, and disabling it may trigger activation or update issues. Re-enable it after fixing the issue.
Overview
Fix Secure Boot violation errors that prevent Windows from booting, caused by unsigned drivers, modified bootloader, or incorrect BIOS settings.
Key Details
- Secure Boot verifies that all boot software (bootloader, drivers, OS kernel) is signed with trusted keys
- A violation means unsigned or improperly signed code was detected during the boot process
- Secure Boot is required for Windows 11 and is part of the UEFI specification
- Linux dual-boot setups can trigger Secure Boot violations if the Linux bootloader is not signed
- Some hardware drivers and firmware updates may temporarily break Secure Boot chain of trust
Common Causes
- Unsigned or modified bootloader detected (common with Linux dual-boot or custom bootloaders)
- BIOS/UEFI firmware update changing the Secure Boot keys database
- Driver or kernel not properly signed after a Windows update
- MOK (Machine Owner Key) not enrolled for third-party signed bootloaders
Steps
- 1If Windows will not boot: enter BIOS/UEFI and temporarily disable Secure Boot to boot normally
- 2Check Secure Boot status in Windows: msinfo32 > System Summary > Secure Boot State
- 3For Linux dual-boot: enroll the MOK (Machine Owner Key) using mokutil --import key.der
- 4Re-enable Secure Boot after fixing the signature issue: BIOS > Security > Secure Boot > Enable
- 5If caused by a driver: update or remove the unsigned driver from Safe Mode