IT Docs
WorkspaceLaptops

Secure Boot Verification Failed (0x1A)

How to diagnose and fix the "Verification failed (0x1A) Security Violation" UEFI Secure Boot error when booting live USBs.

The Verification failed: (0x1A) Security Violation error is thrown by UEFI Secure Boot when it blocks an unauthorized operating system, bootloader (for example Ventoy), or modified firmware from loading. It shows up most often when booting a Linux live USB, or after a motherboard/firmware update changes the stored keys.

Secure Boot only loads binaries signed with a key it trusts. The error means the thing you're trying to boot isn't signed with a recognised key — not that the media is broken. Pick one of the three fixes below depending on whether you want to keep Secure Boot on.

Solution 1 — Temporarily disable Secure Boot (quickest fix)

The fastest way past the error is to turn Secure Boot off in firmware. Use this if you just need to boot the USB once and don't need Secure Boot enforced.

Enter firmware setup

Restart the machine and repeatedly tap the firmware/BIOS key during power-on. It's usually F2, F10, F12, or Delete, depending on the manufacturer.

Find the Secure Boot setting

Open the Security, Boot, or Authentication tab and locate the Secure Boot option.

Disable and save

Set Secure Boot to Disabled, then save and exit — typically F10. The machine will reboot and the USB should now load.

Re-enable Secure Boot afterwards if the machine's normal OS (or a corporate policy such as BitLocker / Device Guard) expects it on. Leaving it off weakens boot integrity.

Solution 2 — Enrol the key via MOK Manager (keep Secure Boot on)

If you're booting a tool like Ventoy and want to leave Secure Boot enabled, authorise its bootloader through Machine Owner Key (MOK) management instead of disabling anything.

Trigger MOK Manager

When the blue MOK management screen appears after the error, press any key to enter it (rather than letting it time out).

Enrol a key from disk

Choose Enroll key from disk.

Select the Ventoy certificate

Browse to the VTOYEFI partition and select ENROLL_THIS_KEY_IN_MOKMANAGER.cer.

Confirm and reboot

Continue, choose Yes to enrol the key, then reboot. The bootloader is now trusted and Secure Boot stays enforced.

Solution 3 — Reset Secure Boot keys to factory defaults

If the error started after you modified the BIOS keys yourself, restoring the manufacturer defaults usually clears it.

Enter firmware setup

Reboot into the BIOS/UEFI menu using the firmware key for your machine.

Open key management

Go to the Security or Boot tab and look for Secure Boot Keys or Restore Factory Keys.

Restore defaults and reboot

Select Reset to Factory Default (wording varies by vendor), save, and reboot.

Which fix to reach for: Solution 1 for a one-off boot, Solution 2 when Ventoy/live USBs must coexist with an enforced Secure Boot policy, and Solution 3 when the machine's own keys got into a bad state after firmware changes.

On this page