Troubleshooting - Secure Boot Icon Displays a Yellow or Red Badge

If you navigate to Windows Security > Device Security > Secure Boot and notice that the Secure Boot icon is marked with a yellow or red badge, please follow the solutions outlined in this guide.

For detailed information regarding the Secure Boot certificate update status in the Windows Security app, refer to Microsoft’s official documentation.

 

Step 1. Verify the BitLocker Status

If device encryption or BitLocker is enabled on your computer, please disable it first or ensure that the recovery key has been securely backed up. For more details, refer to the article: Introduction to Device Encryption and Standard BitLocker Encryption.

 

Step 2. Confirm the Presence of the SecureBootRecovery.efi System File

Once in Windows, navigate to (C:\Windows\Boot\EFI) and check if the 「SecureBootRecovery.efi」 file is present.

 

Step 3. Prepare a USB Boot Drive (FAT32)
  1. Prepare a USB flash drive formatted to FAT32. If you are unsure how to convert to FAT32, refer to this article: How to convert the USB flash drive format to FAT32
    Then, in the root directory of the USB flash drive, click [New Folder] and name the folder [EFI]
     
    Enter the EFI folder, click [New Folder], and name the folder [BOOT]
  2. Copy the 「SecureBootRecovery.efi」 file from your computer into the BOOT folder on the USB drive. 
    Then, right-click on [SecureBootRecovery.efi] and select [Rename]
  3. Rename the SecureBootRecovery.efi file to 「bootx64.efi」

 

Step 4. Restore Secure Boot Keys in BIOS
  1. First of all, the device needs to enter BIOS configuration. When the device is completely shut down, persistently hold the [F2] key on the keyboard and simultaneously press the [Power button] to boot up. Once the BIOS screen appears, you may release the [F2] key. Here you can learn more about How to enter the BIOS utility.
  2. Upon entering the BIOS configuration screen, you will encounter two types of interfaces: UEFI interface and MyASUS in UEFI. Please refer to the following steps based on the BIOS screen of your device:
How to Restore Secure Boot Keys in the UEFI mode

Note: The BIOS configuration screen below may vary slightly depending on the model.

  1. After entering the BIOS utility, press the [F7] key on your keyboard, or you can click on the [Advanced Mode] option on the screen
  2. Enter the [Security] screen, and then select [Secure Boot]
  3. On the Secure Boot page, select [Key Management]
  4. Once in Key Management, select [Reset To Setup Mode]
  5. Choose [Yes] to confirm the deletion of all Secure Boot key databases. 
  6. After deleting all Secure Boot key databases, select [Restore Factory Keys]
  7. Choose [Yes] to confirm the installation of the factory default Secure Boot key database. 
  8. Save the settings and exit. Press the [F10] key on your keyboard, click [Ok], and the device will restart and the settings will take effect. 
    You can also go to the 「Save & Exit」 page and choose the 「Save Changes and Exit」 option to save your settings and exit. 

 

How to Restore Secure Boot Keys in the MyASUS in UEFI mode

Note: The BIOS configuration screen below may vary slightly depending on the model.

  1. After entering the BIOS utility, press the [F7] key on your keyboard, or you can click on the [Advanced Settings] option on the screen
  2. Enter the [Security] screen, and then select [Secure Boot]
  3. On the Secure Boot page, select [Key Management]
  4. Once in Key Management, select [Reset To Setup Mode]
  5. Choose [Yes] to confirm the deletion of all Secure Boot key databases. 
  6. After deleting all Secure Boot key databases, select [Restore Factory Keys]
  7. Choose [Yes] to confirm the installation of the factory default Secure Boot key database. 
  8. Save the settings and exit. Press the [F10] key on your keyboard, click [Confirm], and the device will restart and the settings will take effect. 
    You can also go to the 「Save & Exit」 page and choose the 「Save Changes and Exit」 option to save your settings and exit. 

 

Step 5. Boot from the USB Flash Drive
  1. Boot the computer from the USB flash drive. 
    With the computer powered off, press and hold the [Esc] key, then press the [Power button]. Release the [Esc] key when the boot menu appears. For more information, please refer to this article: How to Boot from a USB Flash Drive/CD-ROM (Changing Boot Options).
  2. In the boot options, select your USB flash drive to start
  3. When the system displays the following message, please wait for the computer to restart automatically. 

 

Step 6. Deploy the 2023 Secure Boot Keys
  1. In the Windows search bar, type Windows PowerShell
    From the search results, right-click Windows PowerShell and select Run as Administrator
  2. Enter the following command: 
    reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0X5944 /f 
  3. Then enter the following command: 
    Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update" 
  4. Restart your computer.
  5. After rebooting, open Windows PowerShell again as an administrator.
  6. Re-enter the following command: 
    Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update" 
  7. Restart your computer once more.
  8. Verify that the Secure Boot icon has turned green.

 

 

If your problem cannot be solved, please contact ASUS Product Support for further information.