Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
 Ventoy enroll key manager not working in new Dell laptops that use SecureBoot
#22
(10-16-2024, 02:58 PM)Rootman Wrote:
(10-13-2024, 08:19 AM)asheroto Wrote: See possible shim workaround by a contributor. Others are reporting this works for now.

https://github.com/ventoy/Ventoy/issues/...2362323248

I also tried it and it works for me too.  I had a bunch of brand new DELL Pcs come in a few weeks ago, Ventoy did NOT work when Secure Boot was enabled.  I could disable it, then it would run. My company requires Secure Boot be on for all PCs.  

Some ELI5 instructions for anyone who may be confused: 
I downloaded the ZIP file from the github link https://github.com/user-attachments/file...img.xz.zip 

I replaced the file ventoy.disk.img.xz in my ventoy-1.0.99 Install folder in the ventoy subfolder overwriting the version that was here. 

With your Ventoy stick mounted, from the root of the Ventoy install folder run Ventoy2Disk.exe, choose the UPDATE button, which even though it's the same version will NON destructively update it with the contents of the new ventoy.disk.img.xz you placed in the Ventoy install  folder.

Your stick should now work when the PC is using Secure Boot, you will still have to enroll the ID just as you did before back when the OLD shim still worked and reboot.  The ID will be good from there on out ON THAT MACHINE, and will be good for ANY Ventoy stick (as long as it has this updated shim) drive.

I tested this out 'scientifically'.

I used my unmodified Ventoy drive on a new PC that has Secure Boot running on it, it would previously not run it The results were the same, it produces a security error and does not boot to the Ventoy menu.

I updated the stick using the new shim file and went to the SAME PC and booted to the Ventoy stick.  It now booted to the Ventoy screen that asks that you enroll the ID key, you do so, then reboot and boot back to the stick, it now works just fine.

This solution will also only work for a short time:

The enforcement phase of the Secure Boot changes related to CVE-2023-24932 will start in a few weeks.

The “Windows Production PCA 2011” certificate will automatically be revoked by being added to the Secure Boot UEFI Forbidden List (DBX) on capable devices.
These updates will be programmatically enforced after installing updates for Windows to all affected systems with no option to be disabled.

https://support.microsoft.com/en-gb/topi...ion5025885
Reply


Messages In This Thread
RE: Ventoy enroll key manager not working in new Dell laptops that use SecureBoot - by Van Flusen - 10-16-2024, 03:54 PM

Forum Jump:


Users browsing this thread: 2 Guest(s)