The Windows Club

Fix: Secure Boot isn’t configured correctly in Windows 8.1/10

The Secure Boot feature in Windows 10 or Windows 8.1/8, assures a user that his PC boots using only firmware that is trusted by the manufacturer and no one else. So, if there are any incorrect configurations, end users might be presented with Secure Boot isn’t Configured Correctly watermark in the bottom right corner of your desktop.

Why does this feature assume importance? Well, when the Secure Boot is activated on a PC, the PC checks each piece of software, including the option ROMs, UEFI drivers, UEFI apps, and the operating system, against databases of known-good signatures maintained in the firmware. If each piece of software is valid, the firmware runs the software and the operating system. Unauthorized software such as rootkit viruses are prevented from running.

So if you see the Secure Boot isn’t configured watermark correctly on the desktop, it probably indicates that the Windows Secure Boot feature has either been disabled or hasn’t been set up on your PC. The problem wasn’t known much until early Windows 8 adopters started switching to the latest Windows 8.1 update available for free from the Windows Store.

Read: What is Secure Boot, Trusted Boot, Measured Boot.

Secure Boot isn’t configured correctly

A handful of users started getting Secure Boot Isn’t Configured Correctly message after upgrading to the new Windows 8.1. Even though no workaround has been made available right now, Microsoft offers a few instructions to get the problem fixed.

First, you need to check to see if Secure Boot has been disabled in the BIOS and in case it is, re-enable it. Then, you should try resetting the BIOS back to factory settings, and in case this doesn’t work, you could try resetting your PC back to factory state and then re-enable Secure Boot.

Read: How to Secure the Windows 10 Boot Process.

Disable or Enable Secure Boot

While I do not recommend that you disable Secure Boot, if the option is present on your system, should you wish to, you can disable Secure Boot, by tweaking your BIOS. Using Advanced Options in Windows 8, click on UEFI Firmware Settings and restart your PC. Now in your BIOS settings screen, in your motherboards UEFI settings, you will see the option to enable or disable Secure Boot, somewhere under the Security section.

View and Check the Event Viewer

To find out the possible reasons, you could check out the Windows Logs. The Windows Event Viewer shows a log of application and system messages – errors, information messages, and warnings.

Then, look for either of these logged events:

  1. Secure Boot is currently disabled. Please enable Secure Boot through the system firmware. (The PC is in UEFI mode, and Secure Boot is disabled.) or
  2. A non-production Secure Boot Policy was detected. Remove Debug/PreRelease policy through the system firmware. (The PC has a non-production policy.)

You can also use PowerShell commands to check the status.

To see if Secure Boot is disabled, use the PowerShell command: Confirm-SecureBootUEFI. You’ll get one of these responses:

  1. True: Secure Boot is enabled, and the watermark won’t appear.
  2. False: Secure Boot is disabled, and a watermark will appear.
  3. Cmdlet not supported on this platform: The PC may not support Secure Boot, or the PC may be configured in legacy BIOS mode. The watermark won’t appear.

To see if you have a non-production policy installed, use the PowerShell command: Get-SecureBootPolicy. You’ll get one of these responses:

  1. {77FA9ABD-0359-4D32-BD60-28F4E78F784B}: The correct Secure Boot policy is in place.
  2. Anything other GUID: A non-production Secure Boot policy is in place.
  3. Secure Boot policy is not enabled on this machine: The PC may not support Secure Boot, or the PC may be configured in legacy BIOS mode. The watermark won’t appear.

Source: TechNet.

NOTE: Microsoft has now released an Update, which removes the “Windows SecureBoot isn’t configured correctly” watermark in Windows 8.1 and Windows Server 2012 R2. Go get it at KB2902864.