You can have true secure UEFI multiboot capability with E2B (no need for MOK Manager, etc.)!
Table of Contents
Introduction
A major problem with various multiboot solutions such as Ventoy is that the Ventoy bootx64.efi UEFI boot file is unsigned. This means that you may have to program the UEFI database to allow the unsafe (Ventoy) grub2 bootx64.efi boot file as an exception using MOK Manager. This does not always work and even if it does work, it leaves your system open to potential misuse (e.g. anyone could use Ventoy to run unsigned utilities on your system).
If you have agFM added to your E2B USB drive, Secure Boot may work on some systems (agFM will allow you to boot unsigned/insecure OS’s as well as secure OS’s), but some systems may block the UEFI signed EFI boot file used by agFM (e.g. Windows Updates can cause some EFI boot files to be blacklisted). So on most Windows systems, secure booting to agFM may not work (unless you clear the DBx UEFI blacklist using the appropriate BIOS setting first).
E2B/agFM however can work around this major Secure Boot limitation by replacing a partition on your USB drive with any desired OS partition image. The steps are simple:
- Switch in any one of the many image files on your E2B USB drive containing a secure boot OS (e.g. Ubuntu, Windows install, WinPE, etc.) – Partition 1 is replaced by your new image file.
- Now UEFI64 Secure Boot from the new partition.
- After finishing your work, restore the original E2B partition.
For instance, Partition 1 of the E2B USB drive could contain image partition files of various Windows Install ISOs, Linux live system ISOs or Install ISOs, various WinPEs, etc. and you could select and ‘switch-in’ any one of them and then Secure Boot to the new image which is now on Partition 1.
Partition Image files (.imgptn23) are created by the user using the Windows-based utility MakePartImage. An image file can be made from a variety of different sources including an iso, zip file, vhd, partition on a usb drive or other drive, etc. For instance, you could have .imgptn23 files for Windows 8, 10 and 11 installs, Ubuntu installs, live linux images, various WinPE images, etc. As long as they will boot and run from a single partition.
Switching in Partition Image files
You must first create Image Partition files which have the .imgptn23 file extension. The special extension name ensures that Partitions 2 and 3 of the E2B USB drive are kept and Partition 1 of the E2B USB drive is replaced by the new image.
You can switch in a new *.imgptn23 file in a number of different ways:
- Legacy boot to the E2B or agFM menu and select the .imgptn23 file – OR –
- Non-secure UEFI64 boot to the agFM menu (on Partition 2) and select the .imgptn23 file – OR –
- Run SWITCH_E2B.exe (32-bit Windows app) from a Windows system (SWITCH_E2B.exe can be copied from the E2B USB drive onto your Windows system) – OR –
- UEFI64 boot to a signed Secure Boot WinPE OS on Partition 3 of the E2B USB drive and then run SWITCH_E2B.exe from WinPE to switch in the .imgptn23 file
Option 4 means that only one single Secure Boot target system is required and there is no need to legacy or Non-Secure Boot from any other system or modify the target UEFI BIOS using MOK Manager. Secure OS’s can be booted in this mode and your target system’s UEFI BIOS settings are not changed.
Add a Secure Boot WinPE to your E2B USB drive
If you want to use Option 4 (see list above) to switch in a .imgPTN23 image file, you must create a Primary Partition 3 on the E2B USB drive and add a WinPE OS. The WinPE OS should be 64-bit Windows PE and contain the components to run 32-bit Windows applications (WoW64).
- Create an E2B USB drive containing three PRIMARY partitions (not logical partitions): I use EaseUS Partition Master to create Partition 3 or you can make a new E2B USB drive and use the Gear/Advanced button to specify your partition sizes.
Partition 1: NTFS (remainder of available space for ISOs, imgptn23 files, VHDs, etc.)
Partition 2: FAT32 agFM files (1GB+)
Partition 3: FAT32 (4GB, 10GB+ recommended)
Partition 4: MUST NEVER BE PRESENT – Do not create! - Download the latest HBCDPE ISO from here and extract all the files to Partition 3 of the E2B USB drive (must be a FAT32 partition). HBCDPE has WoW64 and runs 32-bit Windows apps as well as 64-bit Windows apps. Note: Recent versions of HBCDPE are quite large and may not load into 4GB RAM systems. If you work on x86 computers with 4GB or less RAM, choose one of the smaller, older HBCDPE ISOs so that it will boot even on <4GB systems. Download links to much smaller WinPEs can be found in the E2B eBooks.
- Copy the 32-bit Windows app file \_ISO\SWITCH_E2B.exe from the E2B USB drive to the root of Partition 3
- (optional) – Download the PEStartup zip file and extract all the files to the root of Partition 3 of the E2B USB drive. These additional files allow you to modify any WinPE that you boot to (e.g. add Desktop icons, change the wallpaper, include PortableApps, add drivers, etc.)
Now you can use the new partition to switch-in different images as follows:
Step 1 – UEFI64 Secure Boot
You can now Secure Boot to Partition 3 of the E2B USB drive (using the BIOS Boot Selection Menu of the target system) and boot to WinPE. Drive Y: will be Partition 3.
Typically, you will switch on the target PC (or any PC) and use a Function key (e.g. F8 or F11 or F12 or ESC) to get to a BIOS BOOT SELECTION MENU. Then choose EFI – USB Partition 3 as the boot volume. WinPE will then be loaded.
Now run Y:\SWITCH_E2B.exe from WinPE and select your desired .imgptn23 file that you want to switch in and double-click on it. The new image will replace Partition 1.
Passmark MemTest86 .imgptn23 is secure boot signed and is already included with E2B. You can add many other image files by making more using MakePartImage.cmd.
PEStartup
Tip: If you run Y:\TheOven_Startup.cmd from WinPE, then you will be able to run PortableApps, change the WinPE wallpaper, add shortcuts to the WinPE Desktop, add drivers, etc. – see here for more details. You can use PEStartup – ShortCuts – Add to make a Desktop shortcut for Y:\SWITCH_E2B.exe. The screenshot below shows official HBCDPE + PEStartup + PortableApps + various Desktop shortcuts added by PEStartup.
You can automate the running of PEStartup by HBCDPE by adding a new line (line 575 below) to the Y:\HBCD_PE.ini file using Notepad.
Step 2 – Run the new OS
Now reboot, select Partition 1 as the boot partition and boot to the new Secure Boot OS that you have just switched in.
Step 3 – Restore the original E2B Partition 1 contents
If you have booted to a suitable Windows OS, you can run SWITCH_E2B.exe from the USB drive (Partition 3) and restore the E2B partition – otherwise you can just Secure Boot to WinPE on Partition 3 of the USB drive and run Y:\SWITCH_E2B.exe from WinPE.
More details
You can find more details or use a different WinPE – see this blog article for details.