Re-enabling secure boot after trying out non-WHQL USB 3.1 drivers

The USB 3.1 drivers found here are non-WHQL drivers and need Secure Boot to be disabled for the OS to boot. Take note that this is a legit site and is actually a famous one, in case you guys aren't familiar with it.

So after trying out these drivers, I decided to use the default Windows 10 WHQL drivers and re-enable Secure Boot. The issue is that my system won't boot (just loops into Automatic Repair) whenever I have Secure Boot enabled. It looks like it's still detecting the non-WHQL drivers but I'm sure they aren't anymore, unless I'm missing something here. Is there a way to check if all my drivers are WHQL-certified or are there any other checks I need to do for Secure Boot to be re-enabled?

Pejole2165 said:

The win-raid site is indeed a well known site, however the drivers they supply are modded heavily and aren't really for non enthusiast use. The chance of a (insert random % number here) performance increase for benchmarking is not really worth the risk to your system.
That said, how did you remove the non-whql drivers?
Did you use device manager, did you choose to remove driver software as well?
Did you do those steps while disconnected from the internet to prevent Windows from trying to install new drivers before you managed to restart?
Also when you disabled secure boot did you clear the keys?
A little more in depth detail of the procedure you used would probably help someone to help you to retrace your steps and solve your issue.

Right, and you can say I'm an enthusiast, not a home user. I really just can't figure out how to get around secure boot. Even enthusiasts don't know everything. But I certainly am comfortable in fiddling with things as I work in IT.

Sorry for not giving the specifics but here it goes:

1. Installed the driver-only package for the Intel USB 3.1 devices as instructed in the win-raid site. The win-raid CA was also imported as it was needed.
2. Rebooted Win 10 and it did not boot because I forgot to disable secure boot as instructed.
3. Rebooted again and this time disabled secure boot from the UEFI but never cleared the keys. Win 10 booted just fine with the win-raid drivers.
4. I decided to use the default drivers and so I went to device manager and updated the drivers of the intel devices there (properties -> update driver) and selected the default ones. This was also in the instructions in the site. My Internet connection was never disconnected at any point and even if it automatically downloads and installs from Windows Update, that is fine with me because those are WHQL drivers anyway.
5. Rebooted and went to UEFI. Cleared keys, reinstalled keys, and re-enabled secure boot.
6. Win 10 never boots when secure boot is enabled so I'm running it disabled now.
7. Posted here in this forum for help.

I hope that explains all I did. Thanks.

Have you tried a system restore point from before the driver update?
Also, you might use an image made of the system before the driver update.

kevindd992002 said:

So after trying out these drivers, I decided to use the default Windows 10 WHQL drivers and re-enable Secure Boot. The issue is that my system won't boot (just loops into Automatic Repair) whenever I have Secure Boot enabled. It looks like it's still detecting the non-WHQL drivers but I'm sure they aren't anymore, unless I'm missing something here. Is there a way to check if all my drivers are WHQL-certified or are there any other checks I need to do for Secure Boot to be re-enabled?

Your post is somewhat confusing as to what's happening, but....

In order to "re-enable" secure boot you must insure "CSM" is disabled as these two work hand and hand. See my posts here and especially this one here (same thread).

Additionally if you need(ed) install a non-signed driver, you could do so by disabling Windows' driver signature enforcement policy. See here - How to disable driver signature enforcement on Windows 10.

With that, I'm not so sure why you needed to disable secure boot as that's mainly a hardware level feature thus why it's in the BIOS.

Let me know.

Pejole2165 said:

The reply I gave started with a blanket warning about the drivers on this site for others browsing this topic, it was not directed at you specifically. My apologies if you took it as such.
The reason I asked about the steps you took to install and then uninstall the drivers is because unless you chose to remove the driver software at the time of uninstall it remains on your system.
It is highly likely that some of the modded files are still in use, even though you have installed the whql drivers.
What I would suggest is disconnecting from the internet, use device manager to uninstall all USB drivers (hubs, root etc) and choose also to remove driver software. I would then run Autoruns from Sysinternals to check for any USB related services/drivers and remove those also. Reboot and enter the BIOS and load system defaults, check to see if the defaults have secure boot enabled then see if the machine boots. If it does boot Windows should detect and load appropriate drivers for the USB from its driver store, if not, install the whql USB drivers.
If you still cannot boot with secure boot enabled I would suggest asking for help on a forum for your BIOS if one exists or try the win raid site forum.

No apologies needed because no offense was taken. I just wanted to lay out that I'm not a home user but am definitely not an expert as well. I just know a couple of things here and there.

There wasn't any software installed. I used the DPInst.exe file which automatically installs the drivers only as if you used device manager.

I agree that some modded files might still be in use but I don't know which one. I showed all hidden devices in device manager and checked all devices under "USB controllers" and all of them are using the MS WHQL-signed drivers.

When you say "choose also to remove driver software", are you referring to any USB driver software in programs and features (control panel)? Using Autoruns is a good idea, let me try that. I didn't trying loading the BIOS defaults yet but I'll do that anyway because I'll be flashing a new BIOS later anyway, so that's also worth a shot.

I already tried asking for help from the win-raid forum but to no avail but I'll continue trying. I haven't posted in the ASUS forums yet though.

pbcopter said:

Have you tried a system restore point from before the driver update?
Also, you might use an image made of the system before the driver update.

I would have tried that before posting here but the problem is that I have system restore disabled for this system. I also haven't manually backed this system up recently.

sygnus21 said:

Your post is somewhat confusing as to what's happening, but....

In order to "re-enable" secure boot you must insure "CSM" is disabled as these two work hand and hand. See my posts here and especially this one here (same thread).

Additionally if you need(ed) install a non-signed driver, you could do so by disabling Windows' driver signature enforcement policy. See here - How to disable driver signature enforcement on Windows 10.

With that, I'm not so sure why you needed to disable secure boot as that's mainly a hardware level feature thus why it's in the BIOS.

Let me know.

Which specific part of my post is confusing? (no pun intended). It's actually really simple. I'm aware that CSM must be disabled as that screams "Legacy" hardware. I have Secure Boot enabled and CSM disabled (since all my hardware are UEFI-compatible) BEFORE installing the modded Intel USB 3.1 drivers and everything was working fine. My main system components are:

ASUS Maximus X Code (Z370 chipset)
EVGA GTX 1080Ti
Samsung 970 EVO nVME (OS drive)
Samsung 860 EVO x 2 (ran as a Simple Storage Space for storage)

After installing the modded drivers, I had to disable Secure Boot (which I expected) to make my system boot. I then decided to revert back to using the default Windows 10 drivers, so I uninstalled all modded drivers, and was expecting that re-enabling Secure Boot should be as straightforward as it can be but this was not the case.

In order to answer your question as to why I had to disable Secure Boot in the first place, here's a link from win-raid regarding that: Forum - RE: USB 3.0/3.1 Drivers (original and modded) - 128

But basically, if you install these modded drivers (which are signed by the Win-RAID CA) you will not be able to boot Win 10 if Secure Boot is enabled.

Pejole2165 said:

Yeah I suggested he set the BIOS to defaults after removing all USB drivers hoping that would undo any changes he made and allow him to boot with secure boot on. Not sure he did change the CSM setting...his post mentions CA was imported not CSM.
Yes he could try system restore or a system image restore but I assume based on his professed technical knowledge he could have already have tried those methods and that he is trying to figure out the why of the issue rather than just overwrite it, inquiring mind and all.
A similar issue occurs if you try to uninstall the Intel RST drivers and changing to AHCI, a certain service is left behind causing a stop code on boot, going to safe mode and hunting down the service cures the issue, I have a feeling there are still some of the modded files from the USB install in use causing secure mode boot to fail.

See my answers above. But yes, I would really like to know the why in this whole shinanigan so that I'll know what to do in the future in case this happens again.

The switch from RAID to AHCI (or vice versa) is similar but is easier to solve though. It's as simple as booting into safe mode and letting Win 10 do its thing. After doing that, you can boot normally into Win 10. Unlike with this Secure Boot issue, you can't even boot into Safe Mode.

kevindd992002 said:

In order to answer your question as to why I had to disable Secure Boot in the first place, here's a link from win-raid regarding that: Forum - RE: USB 3.0/3.1 Drivers (original and modded) - 128

But basically, if you install these modded drivers (which are signed by the Win-RAID CA) you will not be able to boot Win 10 if Secure Boot is enabled.

Not to state the obvious but that's not really a safe practice - disabling Secure Boot to install questionable 3rd party drivers. Yes, I know of Win-RAID, but still.... And with Windows 10, I'm not sure why you'd need a tweaked USB driver.

Anyway I've no idea why you can't simply reverse the disablement of Secure Boot and have the system work as normal unless something got hosed (or worse) during the driver trial.

Edit: Try this when you get the screen where you enable Secure Boot there should be a setting with something akin to RSA keys. In the area there should be a setting to load the default keys. Try that and go from there. Be aware you wont get that screen until you get to the Secure Boot screen.

Outside of that, my best suggestion at this time would to try a repair install to try and fix the boot problems. You might also try resetting the BIOS by doing a Clear CMOS. In fact, I might try the BIOS reset first.

Good luck.