Skip to content

Instantly share code, notes, and snippets.

@manciuszz

manciuszz/FakeSecureBoot.md

Last active February 12, 2026 16:23
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save manciuszz/e37350b2674aea15e6746cf7a850e98d to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save manciuszz/e37350b2674aea15e6746cf7a850e98d to your computer and use it in GitHub Desktop.
Download ZIP
Quick guide explaining how to configure a custom UEFI Boot Menu entry that loads the `FakeSecureBoot` driver.
Raw
FakeSecureBoot.md

FakeSecureBoot UEFI Menu Setup Guide

This guide explains how to configure a custom UEFI Boot Menu entry that loads the FakeSecureBoot driver using a UEFI Shell script before launching Windows. This allows you to spoof Secure Boot "Enabled" status while keeping it physically disabled in the BIOS, without relying on external USB sticks or manual interaction with a UEFI shell.

1. Prerequisites

  • Secure Boot: Must be Disabled in BIOS.
  • BitLocker: If enabled, have your Recovery Key ready or suspend BitLocker protection.
  • Architecture: 64-bit UEFI system.

2. Required Files

Download the following files:

  1. UEFI Shell: shellx64.efi (Rename to Shell.efi).
  2. FakeSecureBoot Driver: FakeSecureBoot.efi (v1.0 or newer).

3. Installation & File Placement

  1. Open Command Prompt as Administrator.
  2. Mount the EFI System Partition (ESP): 
    mountvol S: /s
  3. Create the necessary directory: 
    mkdir S:\EFI\FakeSecureBoot
  4. Copy Shell.efi and FakeSecureBoot.efi into S:\EFI\FakeSecureBoot\.
  5. Create a file named startup.nsh in the same folder:
    • Path: S:\EFI\FakeSecureBoot\startup.nsh
    • Content: 
      load fs0:\EFI\FakeSecureBoot\FakeSecureBoot.efi
fs0:\EFI\Microsoft\Boot\bootmgfw.efi
    (Note: If the script fails at boot, fs0: may need to be changed to fs1: depending on your disk configuration).

4. Create UEFI Boot Entry

Run the following commands in the Administrator Command Prompt to add the entry to your UEFI Boot Loader Menu:

  1. Create the entry based on the Windows Boot Manager:

    bcdedit /copy {bootmgr} /d "FakeSecureBoot"

    Copy the {GUID} returned by this command.

  2. Set the path to the UEFI Shell:

    bcdedit /set {YOUR-GUID-HERE} path \EFI\FakeSecureBoot\Shell.efi

  3. Ensure the device is set to the EFI partition:

    bcdedit /set {YOUR-GUID-HERE} device partition=S:

  4. Add to the end of the boot order (Non-Default):

    bcdedit /set {fwbootmgr} displayorder {YOUR-GUID-HERE} /addlast

5. Usage

  1. Restart your computer.
  2. Press your Boot Menu Key (usually F11, F12, or Esc).
  3. Select "FakeSecureBoot" from the list.
  4. The UEFI Shell will launch, automatically execute startup.nsh, load the driver, and chain-load Windows.

6. Verification

Once Windows has booted via the Shell:

  1. Press Win + R, type msinfo32, and press Enter.
  2. Look for Secure Boot State. It should report On, even though it is disabled in your BIOS.

7. Removal (Optional)

If you wish to remove the custom boot entry and delete the files:

  1. Find the GUID of the entry:

    bcdedit /enum firmware

    Locate the entry with the description "FakeSecureBoot" and copy its {GUID}.

  2. Delete the UEFI Boot Entry:

    bcdedit /delete {YOUR-GUID-HERE}

  3. Delete the files from the EFI Partition:

    mountvol S: /s
rd /s /q S:\EFI\FakeSecureBoot
mountvol S: /d

Fake Secure Boot in action

https://www.youtube.com/watch?v=FDSA2NzzQIA

Maintenance Notes

  • To Change Order: Use bcdedit /set {fwbootmgr} displayorder {GUID} /addfirst if you ever want to make it the default.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment