Boot loop after restore fixed by disabling Secure Boot

[yastil]

System:

• Gigabyte B650M GAMING X AX
  
• Ryzen 7 7700X
  
• Samsung 990 PRO 1TB
  
• Windows 11 25H2
  
• Secure Boot ON
  
• TPM ON
  
• Hasleo Backup Suite (full system restore)
  

Issue:
After restoring a previously working full system image (including EFI), the system entered a BIOS/boot loop.
Important details:

• BIOS still detected the NVMe SSD and rescue USB correctly.
  
• Selecting either Windows Boot Manager or the USB device returned directly back to BIOS with no error message.
  
• Rescue USB also could not boot.
  
• Windows only booted again after:
  
  1. BIOS factory reset
     
  2. disabling Secure Boot
     

Additional observation:
After Windows successfully booted again, Windows requested a new PIN login, similar to what happens after BIOS/TPM/Secure Boot changes.
Current state:

• System now fully stable
  
• SFC/DISM clean
  
• EFI OK
  
• WinRE OK
  
• Secure Boot can now be enabled again successfully
  

Possible cause:
UEFI Secure Boot / TPM / EFI trust-chain mismatch after restoring the EFI partition from image backup. Best regards. yastil

[Bespoken]

Interesting. With the system now working are you able to boot from the Emergency USB either with Secure Boot on or off?

[yastil]

Interesting. With the system now working are you able to boot from the Emergency USB either with Secure Boot on or off?

I have not tested booting from the Emergency USB again yet after restoring BIOS settings and re-enabling Secure Boot.
At the time of the issue:

• the BIOS detected both the NVMe SSD and the Emergency USB,
  
• but selecting either device returned directly back to BIOS with no error message.
  

After:

1. loading BIOS factory defaults
   
2. disabling Secure Boot
   

Windows booted normally again.
Secure Boot has since been re-enabled successfully and the system is currently stable.

[admin]

This issue is indeed unusual, but the root cause is very likely related to Secure Boot certificate compatibility.

Has your computer been updated to the UEFI 2023 certificate? When you created the backup and boot media, your computer had not been updated to the UEFI 2023 certificate, which caused a mismatch between its certificate and the certificate on the motherboard, preventing it from booting properly.

[yastil]

Thank you, this explanation actually makes a lot of sense.

I checked my system and confirmed that Secure Boot is already using the newer Microsoft Windows UEFI CA 2023 certificate.

PowerShell returned:
True
for:
(Get-SecureBootUEFI db)

This would explain why:

* both the NVMe SSD and the Emergency USB were still visible in BIOS,
* but selecting either one returned directly back to BIOS without any error message,
* until Secure Boot was disabled.

After disabling Secure Boot:

* Windows booted normally again,
* Windows requested a new PIN (similar to BIOS/TPM/security changes),
* and the system is now fully stable again.

I also re-enabled Secure Boot successfully afterwards.

So your explanation about a Secure Boot certificate / trust-chain mismatch between the restored EFI environment and the motherboard firmware is very likely correct.

I will now recreate:

* a new Emergency USB
* and a new full backup image

using the current system state and certificates. Yasil

[yastil]

This issue is indeed unusual, but the root cause is very likely related to Secure Boot certificate compatibility.

Has your computer been updated to the UEFI 2023 certificate? When you created the backup and boot media, your computer had not been updated to the UEFI 2023 certificate, which caused a mismatch between its certificate and the certificate on the motherboard, preventing it from booting properly.

Thank you, this explanation actually makes a lot of sense.
I checked my system and confirmed that Secure Boot is already using the newer Microsoft Windows UEFI CA 2023 certificate.
PowerShell returned:
True
for:
(Get-SecureBootUEFI db)
This would explain why:

• both the NVMe SSD and the Emergency USB were still visible in BIOS,
  
• but selecting either one returned directly back to BIOS without any error message,
  
• until Secure Boot was disabled.
  

After disabling Secure Boot:

• Windows booted normally again,
  
• Windows requested a new PIN (similar to BIOS/TPM/security changes),
  
• and the system is now fully stable again.
  

I also re-enabled Secure Boot successfully afterwards.
So your explanation about a Secure Boot certificate / trust-chain mismatch between the restored EFI environment and the motherboard firmware is very likely correct.
I will now recreate:

• a new Emergency USB
  
• and a new full backup image
  

using the current system state and certificates.  Yastil

[admin]

@yastil,

Thank you for your detailed analysis and verification! This will be very helpful to other users who encounter similar issues, especially as Windows is moving toward fully adopting the UEFI 2023 certificate.

Best regards,

[yastil]

@yastil,

Thank you for your detailed analysis and verification! This will be very helpful to other users who encounter similar issues, especially as Windows is moving toward fully adopting the UEFI 2023 certificate.

Best regards,

Thank you again for the explanation and technical insight.
The UEFI 2023 certificate transition was something I was not aware of, so this was very informative. 
I will recreate both the Emergency USB and my full backup images using the current Secure Boot environment.
Best regards