Many people who own machines with Asus motherboards are wondering why Asus turned on Secure Boot in UEFI. Windows 7 users with those motherboards didn't have any outward warnings of the setting -- Win7 doesn't support Secure Boot -- until BitLocker patch KB 3133977 appeared.
KB 3133977, in turn, was a fix for an earlier bug in KB 2990184, which was a fix for a problem with backing up a Federal Information Processing Standard (FIPS) password to Active Directory in FIPS compliance mode. Got that?
KB 3133977 went from Optional on March 15 to Recommended on April 12. Back when it was Optional, only a few people installed it, and a small percentage of them with the right (wrong?) Asus motherboard saw their machines freeze. The earliest report I can find of the freeze comes from Nick Baker, posted on March 19 on the Superuser forum:
I have a PC with an Asus motherboard running Windows 7 Pro. Yesterday I installed latest Windows updates, restarted, and shortly afterwards hibernated the machine. This morning on un-hibernating I got a black screen with: "The system found unauthorized changes on the firmware, operating system, or UEFI drivers."
On March 21, poster evilsofa on HardForum said:
I'm dual booting Windows 10 on one SSD and Windows 7 on the other SSD; motherboard is the Asus Sabertooth Z170. Secure Boot suddenly stopped working for Windows 7 but not for Windows 10.... Booting up in Safe Mode was not possible, and the Secure Boot setting in the BIOS was greyed out and not changeable in a straightforward manner. I eventually learned how to disable Secure Boot on current motherboards by backing up then deleting the PK Secure Boot Key.
For whatever reason, apparently Microsoft didn't see the problem reports and upgraded the patch to Recommended. Gradually, people saw the fix, then checked and installed the Recommended update; next thing you know, their machines wouldn't boot.
I'm now seeing problems reported from all over the globe about Windows 7 machines that suddenly won't boot, showing a red box that says:
Secure Boot Violation
The system found unauthorized changes on your firmware, operating system or UEFI drivers.
Press [OK] to run the next boot device, or enter directly to BIOS Setup if there are no other boot devices installed.
Go to BIOS Setup > Advanced > Boot and change the current boot device into other secured boot device.
It's a wonderful sentiment, but there's no indication that a Recommended Windows patch caused the problem. And if you don't have another secured boot device you're up the ol' UEFI creek without a paddle.
Asus responded with FAQ 1016356, which describes a way to disable UEFI Secure Boot on their motherboards. (I can't tell when Asus posted its FAQ, because it's undated.)
I'm also seeing reports that uninstalling the Recommended update will bring your PC back if you can boot to a different operating system, bypass Win7's lockup, and uninstall the patch.
The KB article now helpfully notes:
After you install update 3133977 on a Windows 7 x64-based system that includes an Asus-based main board, the system does not start, and it generates a Secure Boot error on the Asus BIOS screen. This problem occurs because Asus allowed the main board to enable the Secure Boot process even though Windows 7 does not support this feature.
To resolve this problem, go to the following Asus support website to learn how to disable Secure Boot for Windows 7:
Note The Secure Boot feature is supported in Windows 10. To learn more about the security advantages of this feature and about the upgrade path from Windows 7 to Windows 10, go to the following Windows website:
I think of that Win10 shot as rubbing salt in the wound, but Asus appears to be at fault.