N56VZ - No Secure Boot Option?

Here's my story:

I bought the Asus N56VZ some time ago, with Windows 7 preinstalled. But at the same time I also bought a SSD and new RAM (16GB) and replaced it in the fresh notebook to "max it out" from start. Then I directly installed Windows 8 in UEFI mode (there is an EFI partition), never used Win7 on the notebook. Some days ago I upgraded (no clean install, used the upgrade option) Win8 to Windows 8.1 RTM (I have access to MS Dreamspark). My BIOS is up to date (ver 217, the latest from Asus's website).

Now Windows 8.1 displays that secure boot is not activated, and I decided that I want to activate it (I don't want to argue if this is good or bad, I want just a solution).

But I can't find any option in my UEFI setup with the label "(Legacy) CSM" or "Secure Boot". I found screenshots of people with a Asus N76VZ (which has basically the same BIOS/UEFI) that had this option, but I also saw screenshots without that option in a N76VZ.

Questions:

What are the conditions that the Secure Boot/Legacy BIOS options are displayed? Is it even possible to activate it afterwards when Windows 8(.1) is installed already? Can I enable it without any reinstallation?

 

I think it depends on whether you have a gpt-partition with a properly registered system partition in it. It should be enabled by default. But it's possible that you won't get that option in bios if you don't have these partitions readable at the time you open the bios.

But the most likely explanation is that you've upgraded a windows 7 install that used a legacy boot, win8 has then replaced it and - without a uefi boot - booted without a secure boot option. And then the uefi secure boot "signing" was never installed.

Which... really doesn't matter all that much anyway. Honestly don't see why you would want secure boot, or get anything whatsoever that relies on Microsoft's peculiar secure boot features to be installed (or any other company's secure boot features for that matter). Because there's literally nothing you can't get from properly set up access levels and encryption that secure boot can even partially replace. Hardware functions also should not rely on routines run in system-level triggered from user-level like this - this is just stupid, and adds a security risk you don't want to see. Virus and malware prevention at the boot level as well - bull****. Basically it's sole purpose is to simply allow manufacturers to lock out other OSes than the one you've had pre-installed, letting you pay money to "sign" your OS or boot. But there you go.

Other than that, if you use a chain-loader of some sort, secure boot is not going to work very easily. It is possible, though - see rEFInd and so on in the UEFI boot guide in the sig.

edit: and yes, you can enable it if you can manage to create a gpt-partition, move your win8 partition inside it, create the system partition - and then register that system partition as you boot, having that partially complete UEFI boot with the legacy boot files properly spread out the way Microsoft intended.

I mean, it's technically possible, but figuring out where the ends and stumps are supposed to go is going to border on the impossible. Meanwhile, copying a functioning secure boot from a different source is going to basically undermine the entire point. So there's that too.. Essentially, create a gpt-partition, reinstall, and so on.

 

Hello!
I have the same problem, no secure boot option.
When I got the laptop I didn't use it with the default HDD inside so I don't know if it was or not secure boot activated.
I swap the original HDD with an SSD and installed windows 8, after a few days I found about secure boot and wanted to activate it and realize that I don't have that option.
After searching several days on the internet I found some more information in order to Enable UEFI.
1. The partition have to be GPT instead of MBR
2. Windows 8 have to be installed with UEFI/EFI activated
3. Secure Boot have to be enabled

1) I checked with Disk Management and diskpart and both show GUID Partition Table (GPT). I remember from installing the Windows that he keeps making 4 partitions automatically and now I know why.
2) I checked the Windows 8 to see if its UEFI/EFI activated using "bcdedit /enum all": Windows Boot Manager returns as "bootmgfw.efi" and Windows Boot Loader returns as "winload.efi" which means that Windows 8 is UEFI/EFI activated.
3) Using “confirm-SecureBootUEFI” command in PowerShell return as "FALSE" so no Secure Boot.

I do have a GPT partition but I dont know how to look for "properly registered system partition in it" or if they are "readable at the time you open the bios".
Any help is much appreciate

Thanks in advance,
Liviu

 

Just be aware that ISOs downloaded from microsoft may still have UEFI broken on them.

 

Thanks for all answers so far.

My Windows partition is a GPT partition, it has three partitions in it (Recovery, EFI and C: - so all three that Windows creates by default).

I installed Windows 8 fresh, on a brand-new SSD and upgraded to 8.1 with the ISO that can be downloaded from MS Dreamspark (formerly MSDNAA) since 1 week.

Anything else I can do about it, to enable Secure Boot (or at least to see this option)?

 

Well, to get secure boot to work(for whatever reason), you need to let each step of the boot process read back a signed certificate. I.e., bios stage allows a signed partition to be verified, this partition then can boot an OS with signed capabilities, which then lets software be launched from a signed platform, etc. Basically, the OS bootloader has to be signed, and the secure boot option needs to be enabled.

If then the signed bootloader is readable at boot-time by a device that accepts the public key stored in the bootloader, you would have a secure boot chain.

I honestly don't see why you would want this, or want to support any platform that aims to sign application and driver routines in any way on your personal PC. Having this essentially allows a licensing battle to be fought at the expense of us as users, for no purpose other than to stop unsigned software from being run.

You might think that it's useful for security purposes. That you can trust an application that is signed, while one that isn't will now not be so potentially harmful as before. But the truth is that you can establish secure program execution in much simpler ways. And it's utterly unlikely that Microsoft will ever create guidelines for user-level restriction and violations of said standard to the partners it will have negotiated "certificate" licenses with.

Meanwhile, who exactly are vulnerable to computers being hijacked at boot-time? It's office-scapes that already have client software that easily could require access through completely secure pipes. ..not with Windows networks, admittedly. But still, it is completely possible to do it securely for less money than what MS will charge you for a baseline support deal in a year..

So the main purpose of having a secure boot chain, from a suspicious point of view, is to prevent single users from effectively using other OSes on the computer. It is also a very cheap way of ensuring that - even if you actually use open formats - that you can only ever access them with "secure signed" software.

Beyond that it is to lessen costs for actually securing the user-platform. That's the worst part of this. Instead of Microsoft securing their leaky dam with more gaffa-tape - they're just letting the leaks continue, and insisting that the leaks are now collected into a secure bin. Danger over.

Meanwhile, an alternative boot-manager would easily be possible to sign, to allow it to read public keys, etc. But why do it, for any other reason than to add a cost to the development of the program? It makes very little sense to do it. Besides - who do you trust more? Someone who makes their code public, and potentially takes money for putting it together in a neat, useful package? Or someone who hides their code, reuse broken solutions - and then pay an "authority" to sign the software to make only certain partner-signed software run on it? At this point, you know nothing about what the actual client code does.

This entire thing is a sham, quite frankly, and there's very little computer science technical justification for it beyond the entire "boot-time weakness". This has been an issue for a very long time. But since there's no need for any user-program at this point in time to see the actual hardware. Nor for any such computer to boot, or allow boots from unsecured devices. This means the actual scenario where "secure boot" is useful is extremely limited.

So do consider it carefully before you commit money to software or software solutions that require secure boot to function. It may not be as secure as you think.

 

Thank you for your reply.

I like to consider myself a power user but this is beyond my knowledge.
Telling me what I have to do is much appreciated but, can you tell me how to do it? That would be awesome.

The reason I want secure boot is only for it's added speed and nothing else.
I don't care about security or any other things you mention. And yes, I agree with you about the politics behind the secure boot, but what can I do? I'm not gonna pass on a Laptop with core i7 just because it's Intel and I know he played dirty against others. I'm gonna get and use whats best for me in this moment regardless if it's Intel, AMD or NVIDIA and that's the same with secure boot, if you understand me.

Best regards,
Liviu

 

no, I understand the motivation. I'm just waffling away because I don't really know how to do it.

I mean, it's typically very simple, you just need Windows to install it's uefi boot manager (probably already done). Then enable secure boot in bios.

This is the same chain as booting, say, asus' uefi boot manager. And then having that boot-manager negotiate the public key, which then boots the windows boot-manager.

What it depends on is that the windows boot has a public key that the bios (or uefi bootloader) can accept. And I've literally no idea about the mechanics of how that works. Or how to check what sort of certificate you currently have, what the criteria is for making this work, etc. I haven't the faintest clue.

 

A quick update from me. If the exact model is relevant I have the N56VZ-S4066V, where I replaced the RAM (to 16GB) and the HDD to an SSD.

I also found out that the BIOS/UEFI is able to access the EFI partition: I copied the efi shell driver (SHELLX64.EFI) to it's root and then I can Launch the EFI Shell from BIOS setup menu.

I also rebuild the BCD file from the Windows setup DVD with diskpart and bcdedit and explicitly set everything to UEFI. But the SecureBoot/UEFI/FastBoot options are still compeltly missing in my BIOS setup.

I also read that, when UEFI boot is setup correctly, you should see the Asus logo at the entire boot process (also when Windows is booting). But I see instead first the Asus logo which gets replaced by the Windows logo after one second.

I also opened my BIOS file (the dump from version 217) in a AMIBCP (bios edit tool). It showed that all the options are there and the access level is set to "default" - whatever this means... I could try to set them to access level "user" and reflash, but I wanted to do this drastic steps only as last options to not brick my device.

Any further ideas on how to enable these options?

edit: Another surprising observation: I downloaded a generic AMI flash tool "AFUWINGUI" diretyl from AMI (UEFI BIOS in this notebook is from AMI) and dumped the bios file. It has a different file size than the one to be downloaded by the asus website, but they have the same date, same version and same GUID. Strange.

 

Flashing bios shouldn't be necessary (and forcing the secure boot setting won't make a difference either. It depends on the system launching the public key read routine, and then saving the certificate). But I'd sort of guess that the way Asus has done it is to have secure boot certificate negotiation through the asus efi boot, not directly from bios.

I.e., the problem likely is either one of, or a combination of: 1. that your windows efi boot isn't actually "certified", or has a certificate that can be issued. Or 2. the boot-manager can't read the certificate in the first place.

Also, note that the bios is not the asus efi boot manager. The asus efi boot-manager can not be downloaded from their site, it just stays on the oem readied boots, or from recovery partition runs. In other words, it's conceivable that your OEM windows version needs to have a certificate that will match the efi boot manager's headers, and that sort of thing. But like I said, the mechanics of this stuff when it comes to actual specifics is mostly impenetrable.

 

Here you can get certified: UEFI Firmware Signing
.

 

upgraded to windows 8.1 too and got same watermark message, so i was searching for the same option, "secure boot control" on my n56vz-s4066v.... there is no option in bios too. so i googled a lot and as far as i found, the n56vz with preinstalled windows 7 (all n56vz with v in the string like n56vz-s4066v) have no such option. only the preinstalled windows 8 n56vz (all models like n56vz-s4066 h) have the secure boot control option in the "security" tab.

So, tested Bios 211, 215, 217, no option at all.. It's kidding me, I mailed asus support for that issue, in the manual, the option is for the windows 7 n56vz available too. Strange...

 

Windows 7 shipping machines and windows 8 shipping machines tend to have a different bios structure.

 

contacted asus support and they confirmed, the uefi bios of windows 7 shipping machines is not updateable to have a secure boot option. only windows 8 models of n56vz do have the option.

Solution for the secure boot watermark in the windows 8.1 rtm version: It will be deleted by the "GA Rollup A" Update. So wait for it for tomorrow or it's leaked since a few days!:hi2:

 

No Update of the 3 has fixed the watermark. think ms must patch this error or every system manufacturer must update their uefi bios, where is no secure boot option (think thats impossible).

asus hides the secure boot option in uefi of n56vz, that comes with windows 7.. they know it since preview of win 8.1 and still not fixed the issue!
found one solution of modding bios file here, didn't tested it by myself, a little risky:
http://www.bios-mods.com/forum/Thread-ASUS-N56VZ-XTU-unlock-requested?pid=51047#pid51047

original post here http://www.bios-mods.com/forum/Thread-ASUS-N56VZ-XTU-unlock-requested?pid=50243#pid50243

 

How do I enable UEFI in this laptop?
My pc brought the win 7 pre installed, wanted to upgrade to win 8/8.1 with UEFI, but my model doesn't have the options "Secure Boot" and "Launch CSM", only the "Launch PXE OpROM" at this point is disable. I have to change something (possibly the Launch PXE OpROM for on?) Or leave as is?
What's the difference Launch PXE OpROM on/off?

 

It does not support it if you got windows 7 by the looks of it.

 

I know that the versions with pre installed win 8 have these options in the bios, but how do you have the same version of bios 217 and these have these options? Same board that pc's with win 7, how can this happen?
These options are "hidden" in the versions with pre installed win 7?

 

Yes, it is very strange.
Not sure if others from the forum know about this. Perhaps you can check with ASUS and find out.

 

Update removes the "Windows 8.1 SecureBoot isn't configured correctly" watermark in Windows 8.1 and Windows Server 2012 R2

I held up on updating to Windows 8.1 so I would like to know if this solves this issue of the watermark with the Asus N56VZ.

 

Yes, it fixes it just fine.

 

Nonetheless I find it very frustrating to be unable to find an answer to a simple question which is: given the same hardware, the same bios version - some n56vz's have "secure boot" option and some don't. It's not to blame anyone in this forum (who are generally as clueless in this regard as me), rather just venting... I mean, we now have ever expanding horizons of information available over internet, and, on the other hand, ever increasing secrecy and unwillingness to provide answers to simple questions like this on behalf of hardware developers....

I, for one, had a bios-mbr installation of windows 7, but then converted existing os to uefi-gpt (out of my geekish curiosity) successfully. I then installed windows 8.1 for the same reason alongside with it, and upon reading about secure boot tried to enable it - but there is no such option in setup. Might it be due to my dual-boot configuration? Would it reappear if there were only 8.1 installed alone?

 

Bios files are called "windows 7" or "windows 8" to simplify it for users.

The windows 8 bios will have the OS key embedded in it for instance.

 

Well... as long as we call the bios those files available for download from asus.com, windows 7 bios v.217 and windows 8 bios v.217 are bit-to-bit identical (SHA1 checksum = 7B0F21B986447E2697B05CE6D082AA1F727355D6). Am I wrong assuming that once one updates his bios using ezflash or with windows utility, the whole bios gets rewritten to a newer version and no hidden stuff remains (which would seem the only place to harbour those keys given exact equality of win7 and win8 bios files), independent from main firmware? I accept that I'm no expert in this field, and would be happy to hear from someone in the know.

update: I have just downloaded AFUWINGUI, the tool descibed in this post: http://forum.notebookreview.com/asus/732632-n56vz-no-secure-boot-option.html#post9387867. On its "setup" tab there are checkboxes next to "block options", which are: 1) program all blocks; 2) main bios image; 3) boot block; 4) nvram; and 5) ec block (grayed out). So it proves me wrong about my assumption - it seems there are indeed parts of firmware being left intact during standard flash procedure... Would "program all blocks" do the trick? I don't feel like I have courage to experiment, though...

Following the author of that post, I dumped my bios with this tool, and it is shorter than bios image from asus.com, it is 6 291 456 bytes, while the latter is 6 293 504 bytes. I wish I knew what sits in those 2048 bytes of difference.

update 2: upon horsing about in the efi shell, I've found a command to show nvram variables: dmpstore. It generates a lot of screens listing all of them, and there is this one:
variable - RS+BS+AW - '(long hex sequence, must be GUID?):SecureBoot' - DataSize=0x01
00000000:00

But I haven't found a command to actualy set the value of this nvram variable. What will happen if set to 1? Is it possible at all? Too much questions...

 

well, ok.

gave up and installed windows 7 back. (according to my tests using windows performance toolkit, the cpu load in win8 is on average 2% higher when running the same project in a digital audio workstation (ableton 9 in my case) than in win7, which is crucial - an interesting side note)

maybe when win9 is out, there will arrive someone to solve this win8 safeboot mystery.

merry xmas and happy new year to everyone!

 

Hey ho,

i bought an ASUS N56VZ-S4016H and wanted to install linux on a second hdd.
it's the n56 version that was delivered with windows 7.

i tired to find the secure boot option, but it's unvailable due to the windows 7 version of the laptop.
after that i started to search for a solution, but i only found mod bios as a solution.
im not sure atm whether i want to risk it or it's safe.
i have installed the bios 217, but i didnt find a mod bios with this verison.
does it matter if i want to go back?
could any1 tell me a safe way to do this? (i mean where i can find a working file and the method to flash it)

ty in advance

greetings

 

and what's the problem in installing linux?? For What do you need Secure Boot Option?

 

The windows 7 version wont have the option because it does not have secure boot as far as I was aware, that is something a windows 8 bios would have since that's the OS it partners with.