Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
 Something has gone seriously wrong
#1
On BOTH the USB drives on which I run Ventoy, I now as of a few days ago, get an error message on trying to boot which says:

"Verifying ..... data failed. Security Policy Violation .... data failed. Something went seriously wrong".

I can't read all of it because it is in tiny print and only on the screen for a short period. I any event, Ventoy won't boot and I gather from some somewhat apocryphal reports I have seen, that it has something to do with something MS has done very recently.

Hopefully Ventoy will be able to overcome the problem.


EDIT: if you turn SECURE BOOT off, it all works. But I imagine that turning Secure Boot off in a workplace environment is not an option so hopefully Ventoy will be able to overcome this issue.
Reply
#2
It's been brought up already. Yes, it's a secure boot issue. This happens on some PCs that have been updated, or newer PCs from the factory. There supposedly is a solution, but I can't seem to find out what it is, it looks like you have to snag an EFI file from some Linux distro and put it on the drive. I've not been able to follow along on it to find out exactly where.

Like you said, you can boot to it if you turn off secure boot. I do so , just for that session and then reenable it when done. I am sure I'll forget one sooner or later and leave it disabled 'in the wild' and get my a## chewed out for it.
Reply
#3
For a while you could enable this option in the bios and it work without disabling secure boot:

“Allow Microsoft 3rd Party UEFI CA”

This no longer works for me on Dell laptops.  I am back to being forced to disable secure boot each time if I want to use Ventoy....which won't be much longer if there isn't a fix for this soon.  Constantly disabling and reenabling secure boot is getting old quick.
Reply
#4
It appears to be DELL that's changing the game since the original approach worked fine.  What do you think Ventoy could do... if it doesn't know what DELL is doing?
Reply
#5
(08-22-2024, 06:41 PM)FroggieTheGremlin Wrote: It appears to be DELL that's changing the game since the original approach worked fine.  What do you think Ventoy could do... if it doesn't know what DELL is doing?

Well that is why I made my original post about it not working, to see if the developer could find out why it isn't working and fix it.

However, the developer hasn't responded to that thread at all and that was almost 3 months ago when the thread was started.
Reply
#6
If you 'burn' your ISO to a USB using Rufus, will that boot then? That is, boot with Secure Boot on.

Rufus is hardly as flexible as Ventoy but if turning off Secure Boot is too much of a pain or not an option .........



EDIT: YES - if you use Rufus to burn your ISO to a USB stick, it will boot with Secure Boot ON.
Reply
#7
I have been booting the ISO's with Ventoy and Secure Boot enabled on an old DELL PC (officially not suitable for Windows 11) for the last few days and yesterday 
Windows automatically installed an update.
Ventoy no longer boots with Secure Boot enabled and the PC shuts down.

Ventoy is great and so easy to use in the standard configuration, but there will never be a permanent solution for Ventoy and other bootloaders not signed by MS.

It has nothing to do with Dell, I have other PC's (self-built pc) and Windows Update has also updated the dbx database on these PCs, so the Ventoy Secure Boot option no longer works.

Use Easy2Boot with partition image files (.imgPTN),
WinSetupFromUSB with restrictions (no Linux) or an 
IODD (bootable virtual CD-ROM drive) and you will have no problems with Secure Boot enabled.

If you often have to boot other people's PCs, it is always an advantage to have several tools at your disposal. Rolleyes

Edit: longpanda wrote a long time ago about this topic
https://forums.ventoy.net/showthread.php?tid=2163

It should be that: The BIOS firmware trust BOOTX64.EFI (it's actually shim.efi) then BOOTX64.EFI trust grubx64.efi.
So the Ventoy .cer file is for BOOTX64.EFI to trust grubx64.efi not for the BIOS.
The BOOTX64.EFI was already signatured by Microsoft Key and should be trusted by the BIOS firmware by default.

If your BIOS report bad sig that means that your BIOS doesn't trust BOOTX64.EFI anymore.
It may because that Microsoft add the BOOTX64.EFI to the dbx and after you update Windows the dbx info will write to your motherboard and then when reboot
your BIOS find that the BOOTX64.EFI's hash is in the dbx so it refuse to boot it and report bad sig.

So what you need it to make your BIOS trust BOOTX64.EFI in some way.
Reply
#8
found a new multiboot program and it works great with uefi, secure boot
Easy2Boot_v2.20
fully customizable as well
Reply


Forum Jump:


Users browsing this thread: 4 Guest(s)