I have been running Win 10 (on standard internal ssd drive as pre-installed) and booting to Zorin from an install on a usb external drive (which performs better than win 10!).
Awhile ago the secure boot settings were changed by a windows update which stopped zorin booting. As I had been happily using zorin for months and preferred it, I just turned off secure boot in the BIOS and all was well.
At that point my intention was to simply install Zorin onto the internal ssd when win 10 went out of support, leave secure boot turned off and go from there.
However (for convoluted family reasons), I may have to keep the pc in it it's current setup - zorin on usb, windows (but version 11). However to get win 11 installed and running, I have to turn on secure boot.
So the questions is: should Zorin now work ok with secure boot turned on? - I do update all the time, but only the security updates.
It's not the end of the world if not. I will convert this pc to win 11 only and buy a new pc just for zorin. Thankfully I can afford it, but I'm tight so object to the "unnecessary" expense!
In theory this is possible to do. For example, Debian can boot with secure boot enabled. In this page it's explained how it works and what it would take to make it work for other distributions, but it sounds a lot easier said than done in practice.
Since you have to install W11 anyway, I think it's easier to just give it a try and see what happens?
If you're willing to buy another computer, take a look at refurbished or second hand computers. There are also many that come without an OS installed, which are much cheaper and are ideal for installing your own.
I'm not entirely sure here, but if I remeber correctly, Microsoft has losen the Restrictions for installing Windows 11.
I would suggest the Following. Disable Secure Boot and then try install Windows 11. When it works, okay. When there should be Complains that You can't ignore, enable it and install Windows 11 and then disable Secure Boot after the Installation.
zenzen
yep, that really does look a lot easier said than done!
If it does turn out be a problem, I will give my pc to my wife with windows 11 installed. Although it is 8 years old, it does everything I want to do - mainly gaming, apart from the usual browsing etc. Zorin (and Steam) have handled gaming remarkably well. A new pc would be bought to be my new gaming (linux only) pc - this time all AMD and no messing with nvidia as I have had to a couple of times so far. In this scenario, the only casualty (apart from my wallet), would be my wife's current pc (12+ years old) which simply would not allow win 11. Although I could put linux on it (my original plan if all is well), my wife is not at ease with online banking without windows AV etc.
Still fingers crossed - original plan is she keeps her pc with linux installed, I keep mine dual booting with zorin and windows 11 on for my wife to bank on once a month....
Ponce-De-Leon
I think you are right - will have to try it and see. Will unplug my zorin usb boot drive, turn on secure boot to install win11 then reconnect my zorin drive and see what happens. I just remember being really thrown when it didn't work after Microsoft updated the signatures in the TPM and Linux wouldn't boot (several months ago) until I turned off secure boot. Ah - I miss the old days - my first pc was an 8088 running dos 3.3; simpler times lol.
banger
Hey that sounds really promising! May I ask if your graphics card is nvidia or AMD (or something else)? I have been looking around at other distros that "work with secure boot". MInt and Ubuntu 22 looked promising but lots of folk seem to have issues with them, if they have nvidia GPUs.
Meanwhile, my wife is working on backing up everything on her win 10 pc before I can put Zorin on it. When we have that as a happy linux pc, I can start poking at my own pc safe in the knowledge that if it goes catastrophically wrong
(hoping for the best, but planning for the worst) we can still get onto the internet etc.
Nvidia specifically will work with secure boot if you:
Install Zorin with secure boot enabled in the installer while allowing proprietary drivers.
After the OS install, more likely than not (with 4 of 4 different Nvidia laptop cards I've used), you'll need to enable X11 instead of Wayland.
Edit the configuration file:
sudo nano /etc/gdm3/custom.conf
to uncomment [remove # from] the line containing:
WaylandEnable=false
Either way, you must enroll the machine operator key (MOK) that Zorin signs the Nvidia drivers with:
Thanks chronosJ - great detailed info - much appreciated! Will make note of this for when the time comes.
I will read this again in the morning (brain gone now..) - there are a couple of things I am completely unfamiliar with here I think - will search to get better background - still a linux rookie I'm afraid!
Well I finally got round to trying to boot Zorin with secure boot enabled with windows boot selected. It worked without me having to do anything!
It took me this long to get around to it, as I was wrestling with "upgrading" from windows 10 to 11. I finally succeeded with that - local accounts etc. This PC will go to my wife when I get a new PC near Black Friday.
However there was one (major) issue after zorin was loaded with secure boot on (windows selected). Steam would load but started to have response issues and all games are ridiculously chuggy. They were fine last time I had loaded up.
The only change I have made is the secure boot selection - so I am guessing I have to execute the commands listed by chronosJ to sort the nvidia drivers out (assuming that is the issue)?
For completeness I was planning to try again with secure boot on (but with "other OS" selected as usual for my zorin) just to see if normality returned. However after several days of Windows hell, I really can't face tinkering for a bit. Will regroup and try tomorrow.
If chronosJ's advice is exactly what I should be doing (sorry - my rookie linux brain can't assess this!) does it matter that my initial install was without secure boot on? I am already on X11 rather than Wayland.
Also - regarding "enrol the key in the bios" after reboot; is there some value I should be acquiring from Zorin before reboot to then enter in the bios? Or is it somehow automatic?
I have Zorin OS 18 on my desktop PC with secure boot enabled, but i enabled it in the Zorin installation, I don't know if you can enable it after installation.
Though i also noticed that in Zorin OS 18, there is a new menu that allows you to check if secure boot is enabled.
Zac0511 -
I still have zorin 17 core - I don't think it has that menu; I may be missing it when looking of course!
chronosJ -
I tried your list enrolled command and it returned nothing. Out of interest, i dropped the grep zorin bit and it (broadly - I have replaced lots of hex values with just xxx in case it's actually sensitive info)) gave:
Is that the certificate that actually let's me boot with secure boot on with Windows selected? Is it "safe" to try the enrolling of the nvidia keys without the proper OS signature keys installed?
Yikes - so many words, so little understanding Slowly, slowly onwards....
I booted up Zorin in secure boot mode, selecting "Other" rather than "windows" in the BIOS. Everything works well - the games are as they were, all good.
So the issue definitely only occurs when secure boot is set to windows mode. On the plus side at least zorin boots up in that mode now - it used to come up with shim bat errors earlier this year (August?).
I imagine that chronosJ's procedure to enrol nvidia would solve that (booting in win mode); my uneducated guess anyway lol. That would be nice, as I could dual boot without having to change secure boot mode every time.
However it seems I may to reinstall Zorin from scratch with secure boot enabled to be able to follow through with the nvidia stuff.
Will update again when there is time to take this forward - hopefully sooner rather than later!
You can check if secure boot is enabled with the command mokutil --sb state
I had always read that changing the OS in the BIOS from "Windows" to "other OS" disables secure boot. I don't know if this is different for you, but you could check it with the above command. You will get an output "SecureBoot enabled" or "SecureBoot disabled".
Yes Zorin 17.x does not have the secure boot status menu, but anyways its just a status menu, it doesn't do anything, you dont need it to have secure boot enabled.
I ran your state check command when booting from "other os" and yep - secure boot is not enabled. I then booted with the bios set to "windows". Your command then reports secure boot enabled. Unfortunately even in this mode, chronosJ's list-enrolled still advises that zorin is not enrolled....
My BIOS is very misleading. Secure Boot is listed as enabled (greyed out and not changeable as far as I can see). In that section it just lists the two options, "other" and "windows". No where does it hint that selecting "other" turns it off (the greyed out heading of the section saying secure boot is on does not change).
Zac0511
Thanks for confirming the absence of the secure boot status from the zorin 17.x - also that it is just an info rather than change type of thing.
Yes, that's really poorly done. If you read the BIOS user manual, you'll find such things mentioned, but it's not apparent in the BIOS itself. I had this problem recently when I was trying to help another user, and that's how I figured out how to disable secure boot.
