You can Secure UEFI64-boot to agFM on the E2B USB drive because it uses the Kaspersky bootx64.efi signed grub2 shim file. This boot file originated from Kaspersky and was signed by Microsoft as being 'Secure'. However, it contained a loophole which allowed us (via some clever programming) to load unsigned modules and hence an unsigned version of grub2 (e.g. grubfm or agFM or Ventoy, etc.).
A year or so ago, Microsoft released a KB Update which added a 'blacklist' entry into the UEFI BIOS non-volatile RAM of the Windows system UEFI firmware. This is called the DBx (or dbx) list and it can usually be found in your UEFI BIOS settings.
The DBx list was specifically intended for this purpose - to blacklist boot files which Microsoft had signed as 'Secure' but later turn out to be not as 'secure' as they thought!
The update provided by Microsoft immediately caused a lot of issues on certain Secure Boot OEM systems which also used this same EFI boot file (Lenovo?, HP?) and thus the update prevented them from booting after it was installed! Microsoft quickly withdrew the Windows Update and left their victims to try to rescue their secure but unbootable systems.
Now it seems Microsoft have tried again (KB4535680 2021-01-12) but the new Windows update is only applied to certain systems (and probably only those that boot via UEFI and have GPT partitions on the boot disk):
- Windows Server 2012 x64-bit
- Windows Server 2012 R2 x64-bit
- Windows 8.1 x64-bit
- Windows Server 2016 x64-bit
- Windows Server 2019 x64-bit
- Windows 10, version 1607 x64-bit
- Windows 10, version 1803 x64-bit
- Windows 10, version 1809 x64-bit
- Windows 10, version 1909 x64-bit
So, its not possible to resolve this issue? Can u update bootx64 efi?
ReplyDeleteNo, efi file must be signed by Microsoft and they will never do this because it can boot or load unsigned code.
DeleteThere is a way.. i saw itps tool pack technology.
Deletehttps://www.ittoolspack.com/p/hybrid-tech.html
i learn how they did.
They make bootx64.efi to boot windows boot manager and adds their menu via bcd.
im still working on it.
i want to load bootx64.efi then ventoyx64.efi via windows boot manager.
can u tell me how to do that via bcd?
here is example
i dont want to add code in bootx64.efi because its blocked on latest laptop.
so booting offcial bootx64.efi then windows boot manager then other efi is possible.
also we can skip windows bootmanger metro menu via bcd with timeout 0.
i just want to know how to boot ventoyefix64 file via windowsbootmanger with bcd.
WITHOUT Patching BOOTX64.efi
https://www.rmprepusb.com/tutorials/edit_efi_for_bcd
here is example
I tested ITPS on latest laptops.. Yes IT WORKS.........!!!!!!!!!!!!!
Delete10000000000%
Which unsigned EFI files have you been able to Secure Boot to?
DeleteSteve. Listen carefully bro,
DeleteCheck ITPS TOOLS PACK.
their project run @ secure boot too. On latest machines without block error.
I learned that how they did it.
They didn't patched BOOTX64.efi file
They boot it as official efi but now they created custom wim loader menus on metro boot loader.
They just changed bcd.
However it works as pure efi machines/laptops.
So here is a way.
I want to know to how to run windows boot manager entry first and then edit bcd to load custom efi file or grub.cfg via metro boot loader.
Setting timeout 0.
Please reply.
The problem is that we need run an unsigned version of grub2 from a Secure Boot. It is easy to run various wim files from a secure boot via Boot Manager. When you Secure Boot to Boot manager, it will not allow you to run an unsigned payload.
Delete