Secure boot is disabled; How to Boot from External Flash Drive?

@Jim_Hill  you don't need to disable Secure Boot just because you want to boot from a USB device.  You only need to disable Secure Boot if the environment you're booting into doesn't support Secure Boot, such as most Linux-based boot environments.  Environments based on Windows 8 or newer (and WinPE 4.0 or newer) support Secure Boot.

Which brings me to the basic question that you left unanswered: What is on this flash drive that you're trying to boot into?  Is it Windows install media?  Some sort of diagnostic/recovery utility?  A "Linux Live" environment?

And second, exactly how did you prepare this bootable flash drive,i.e. what application or detailed steps did you use?

In order for a UEFI-based system to boot from a USB device, its partition must be formatted as FAT32, not NTFS or exFAT.  And the bootable environment itself needs to support being booted in UEFI mode.

@Jim_Hill  you don't need to disable Secure Boot just because you want to boot from a USB device.  You only need to disable Secure Boot if the environment you're booting into doesn't support Secure Boot, such as most Linux-based boot environments.  Environments based on Windows 8 or newer (and WinPE 4.0 or newer) support Secure Boot.

I have some older win7 era bootable flash drives, some using the Linux operating system that work fine using my old Dell T3500 which was a refurbish purchase, and was upgraded from win7 to win10.   In this topic I’m asking how to boot from a bootable flash drive using my i3670 and i3780, not how can I avoid doing so.  If there are issues, such as being difficult to accomplish without loss of data or computer becoming inoperative, please include them.

I have seen a number of posts in various places, TenForums, etc. that say that secure boot must be disabled to boot from a flash drive.  I even saw a Rockstar answer in a Dell community forum, which I’m attempting to find again.

In order for a UEFI-based system to boot from a USB device, its partition must be formatted as FAT32, not NTFS or exFAT.  And the bootable environment itself needs to support being booted in UEFI mode. 

I should be ok.  I think this is normal for computers purchased at a retail store.  I bought my i3670 computer new at Fry’s retail store a little over year ago, and as far as I could tell, it was just another computer.  I’m sure it is a win10 UEFI computer.  Other than a few computers running Linux, (and Apple computers), you had no choice.

And second, exactly how did you prepare this bootable flash drive,i.e. what application or detailed steps did you use?

I don’t remember the details, but they worked fine on my old Dell T3500, which I updated from win7 to win10.  I would assume that I could boot from them on a new Dell computer.

I’m just attempting to boot using them, not continue.  For example, one is a Terabyte International Image for Linux program for making a backup image of a non Linux computer.  It is not suitable for an image file using UEFI, but very handy to see if I can actually boot from a flash drive.  The first screen asks what I want to do – backup, restore, or…?  I assume a UEFI computer could display this screen.

I am attempting to use Macrium Reflect to back up this computer.  Their forum seem to assume you are booting from a flash drive.  If your computer had problems and would not start up normally, booting from a flash drive seems to be the only solution.

I enabled secure boot and restarted my computer.  I checked F2 and F12, and neither seems to have a means to boot from a flash drive. What is my next step?

Jim

@Jim_HillThe fact that people are saying you have to disable Secure Boot to boot from a flash drive doesn't make them correct.  Dell Rockstars are not always correct either.  If the post you found was written by speedstep (in obnoxiously large text?), that's even more likely to be the case.  But the reason I know I'm correct in that statement is because I routinely boot from flash drives with Secure Boot enabled.  I've worked in various IT roles for the past 15 years, so I have to boot from USB devices rather frequently.  My point was simply that depending on what specifically you're trying to boot, you don't necessarily have to disable Secure Boot just to do so.  And since Secure Boot has value as an anti-rootkit mechanism, disabling it unnecessarily isn't ideal.

As to your response to my point about the flash drive being formatted FAT32 saying that "I should be ok. I think this is normal for computers purchased at a retail store," I don't even know what that means.  This has absolutely nothing to do with how your computer is set up.  It's about how the flash drive itself is set up.  You can format a flash drive using a variety of file systems.  Legacy BIOS systems can boot from a variety of file systems.  UEFI, despite being newer, actually has much more limited file system support when it comes to booting because it boots in a fundamentally different way.  (If you're thinking to yourself that Windows still uses the NTFS file system on modern UEFI systems, it's because those systems also have a hidden FAT32 partition that contains the UEFI bootloader files.  The system boots from that, and then that turns around and loads Windows.)

The above is partly why it's possible for a flash drive configured a certain way to be bootable on an old computer and NOT bootable on a new computer.  In order to boot from a flash drive in UEFI mode, the flash drive must be set up in a way that allows UEFI booting, and the environment you're actually booting into must ALSO support UEFI booting.  The latter requirement always even when booting a UEFI system from a non-USB source.  So for example, it is possible to have a bootable environment that supports UEFI booting, but stored on a flash drive that is formatted as NTFS, in which case you will not be able to boot from that flash drive in UEFI mode.  It is ALSO possible to have a flash drive that is properly set up for UEFI booting by being formatted as FAT32, but that contains a bootable environment that does not itself support UEFI booting, in which case that won't work either.  So no you shouldn't just assume you would be able to see that Terabyte image screen., because getting to that point requires your system to have successfully booted into the mini-OS that Terabyte runs on, which would mean having satisfied both of requirements I just mentioned.

The quick and dirty method to possibly get your existing flash drives bootable on your new system would be to enable "Legacy Option ROMs" in your system BIOS, if that's even still available on those systems.  That will allow your UEFI system to support Legacy BIOS mode booting, which is what those old systems you're talking about would be using.  However, enabling Legacy Option ROMs forces you to disable Secure Boot, which again isn't ideal from a security standpoint.  And it's possible that your system won't have that Legacy Option ROMs option in the first place, because Intel has announced that their CPUs will no longer support Legacy BIOS booting at a hardware level soon, so that capability has been disappearing on systems in anticipation of that.  That's why the proper solution is to set up your flash drives in a way that will allow them to be booted in native UEFI mode, and also of course have bootable environments that support UEFI booting.

I'm only familiar with Terabyte by name, but I personally use Macrium Reflect for my disk imaging needs and am very active on their forum.  Reflect supports creating "multi-boot" bootable media that can be booted in both Legacy BIOS and UEFI mode so that a single flash drive can support both system types.  And modern versions of Linux distros would certainly support UEFI booting, so it would just be a question of setting up the flash drive properly.  If you have ISO files of the bootable environments, Rufus (link) is a popular tool for this purpose that removes some manual effort.  If on the other hand you created those bootable flash drives using tools built into various applications you use, then you'd have to do some research into how to create UEFI bootable versions of those flash drives using those applications.  But again, it is not necessarily the case that a flash drive that boots on an old system will also boot on a new one.

Let’s start again.  I probably should start a new thread, but you are obviously the person who knows.

My Dell i3670 uses UEFI.  It has a single hard drive, which has C and system reserved partitions.

I backed up the entire drive using Macrium Reflect, and made a Rescue Media flash drive.  The flash drive has the default FAT32 format.

I have another hard drive of sufficient size to replace the existing drive  It has been initialized/formatted so it can be used as a data drive.

Assume the hard drive failed. I guess I would replace the existing drive with the new drive, connect the Rescue Media flash drive and USB hard drive containing the image file, turn on the computer and press F12 until the Boot Device menu appears – or does this approach work when using UEFI?

I need to know before I have a real problem.

The Macrium Knowledge base  https://knowledgebase.macrium.com/display/KNOW72/Restoring+and+browsingDoes not cover this situation.

The TenForums knowledge base article Backup and Restore with Macrium Reflect, part 5, may cover it but in far less detail than the remainder of the article https://www.tenforums.com/tutorials/61026-backup-restore-macrium-reflect.html  It says:

2.) Although restoring an image backup is fully possible when started from Windows desktop, I recommend restoring only when PC is booted to Macrium Rescue console (PE),either selecting Macrium Rescue from Windows boot menu or booting with Macrium Rescue USB device you created in Part 2. An old school geek as I am, I get bad feeling when replacing system files on a running system, therefore always using restore from WinPE, booting to Macrium Rescue environment instead of Windows.

@Jim_Hill  this might be a better question to have asked in the Macrium forums where I'm also active, but since we're already talking here:

Yes, your expectation of how you'd recovery your system from a failed hard drive is correct, and kudos for validating your recovery method beforehand, since many people don't bother with that and end up paying the price later in increased aggravation at an already stressful time.

If you used Reflect's Rescue Media Builder tool to create your Rescue Media, and you selected the "Enable multi-boot" option, then if that flash drive is attached when you first start your system and you access the F12 menu, you should absolutely see your USB flash drive listed, because that does work via UEFI.

If that is not working, go to Rescue Media Builder and click Advanced > Choose Base WIM.  Make sure you are NOT using WinPE 3.1.  If you're using WinRE, you have to be running Windows 8 or newer, which I assume you are if you're building this Rescue Media on your new PC.

If that already looks good, try NOT having your external hard drive connected at the same time.  You can connect that later anyway; all you have to do is click Refresh in the Rescue Media environment to have Reflect rescan for disks.

If that doesn't fix it either, try using a different model flash drive.  I've found that some PC simply won't boot from certain flash drives, even though they can work with them otherwise just fine and other PCs can boot from them.  I'm not sure why, but I've seen it happen.  For what it's worth, I use SanDisk Ultra Flair flash drives for Rescue Media because they're physically small, inexpensive, and even pretty fast for what they cost.  And I've never had a problem booting it from any Dell or non-Dell PC I've used.

Restoring an image from within Windows is NOT possible if you'll be restoring the partition that Windows is actively running from, for obvious reasons.  Reflect will let you step through the restore wizard within Windows to "stage" that restore, but if you click Finish, you will be prompted to boot into Reflect's "boot menu recovery" environment.  That is a Rescue Media file set that is cached on your Windows partition and from which the Rescue environment can be booted.  The reason it's possible to restore THAT way even though the Rescue files are ALSO on your Windows partition is that the Rescue environment is small enough that although it loads from there, it gets copied entirely into RAM and actually runs from there, so it has no need to access any files on the disk at that point.  The hazard to that scenario though is that if the restore fails, those files won't be accessible anymore, so you wouldn't be able to boot into it AGAIN.  That's why the boot menu recovery option should be seen as an optional convenience, but NEVER a substitute for "external" Rescue Media.  But I personally prefer to boot from Rescue Media to run OS restores as well.  I figure that if I have to run a restore from Rescue anyway, I may as well boot into it in the first place rather than staging it in Windows only to reboot into somewhere else to run it.

And lastly, building on your wise choice to test your Rescue Media in advance, I would strongly encourage you to retest your Rescue Media whenever you update it, to confirm that your system can still boot from it and that it can still see all of the hardware you'd need it to, which sounds like your internal disk and your external hard drive.  The reason I say this is that Macrium has occasionally pushed updates that contained new bugs that affected Rescue Media, and obviously you don't want to find out about that when you really need it.  I would also suggest that if you confirm your Rescue Media works, you also have Rescue Media Builder create an ISO file version of it.  That way if a future update has a problem that prevents it from creating working Rescue Media, you'd still have that ISO of "known good" Rescue Media, which you could use to create a bootable flash drive if needed -- using that Rufus tool I mentioned earlier, for example.  I always make sure I have an ISO build of an known good Rescue Media build before I update Reflect.