Ventoy is one of the most useful tools in any technician's kit. Instead of burning a single ISO to a USB drive, Ventoy lets you copy multiple ISOs onto one drive and choose which one to boot from a menu. Need to test Ubuntu, Linux Mint, and a Windows installer from the same USB stick? Ventoy handles it. The catch — and it is a consistent one on older hardware — is Secure Boot.
Ventoy's bootloader is not signed by Microsoft's UEFI signing certificate, which means Secure Boot blocks it by default on most machines manufactured after 2012. You have two options: enrol Ventoy's own signing key into your firmware (MOK enrollment), or disable Secure Boot entirely. Both work. Neither is universally better. The right choice depends on your machine, your use case, and whether you dual-boot Windows. This guide walks through both methods step-by-step, compares the trade-offs, and covers the BIOS firmware quirks that make older PCs particularly tricky. If you are having broader USB boot issues beyond Secure Boot, the USB boot troubleshooting guide covers the full landscape.
What Ventoy Is and Why It Matters for Older PCs
Ventoy is an open-source tool that creates a special bootable USB drive. Unlike traditional USB burning tools like Rufus or balenaEtcher — which write a single ISO image to the drive, making it exclusive to that one operating system — Ventoy installs a small bootloader and leaves the rest of the drive as a standard filesystem. You copy ISO files onto the drive like any other file, and Ventoy presents a boot menu listing each one.
For anyone working with older PCs, this is transformative. Instead of maintaining five separate USB drives for different Linux distributions, a recovery environment, and a Windows installer, you maintain one Ventoy drive with all of them. When you sit down with an unknown machine that might need a fresh OS install, driver testing, or hardware diagnostics, a single Ventoy drive covers every scenario.
The Secure Boot conflict is frustrating precisely because Ventoy is otherwise so frictionless. Everything about the tool is designed to reduce hassle — except this one interaction with UEFI firmware that trips up a large percentage of first-time users, especially on older machines where BIOS implementations are less standardised.
Why Secure Boot Blocks Ventoy
Secure Boot is a UEFI firmware feature that verifies the digital signature of bootloaders before executing them. Only bootloaders signed by a trusted signing certificate — in practice, Microsoft's UEFI CA — are allowed to run. This prevents malware from replacing your bootloader with a compromised version, which is a legitimate security benefit.
Ventoy's bootloader is not signed by Microsoft's CA. It is signed by Ventoy's own certificate, which your firmware does not trust by default. When you try to boot a Ventoy USB with Secure Boot enabled, the firmware checks the signature, finds it untrusted, and refuses to execute it. On most machines, you see a brief error message — "Security Violation" or "Unauthorized" — before the machine falls back to its normal boot sequence.
This is not a bug. It is Secure Boot working exactly as designed. The solution is either to add Ventoy's certificate to your firmware's trusted database (Method A: MOK enrollment), or to turn off the signature check entirely (Method B: disable Secure Boot). Both approaches have clear trade-offs, which the rest of this guide covers.
MOK Enrollment: Keeping Secure Boot Active
MOK stands for Machine Owner Key. It is a mechanism built into the UEFI shim bootloader that allows you to add your own trusted certificates alongside Microsoft's. Ventoy ships with a shim-based bootloader that triggers the MOK enrollment process automatically on first boot.
Prepare the Ventoy USB drive
Download Ventoy from the official site and install it to your USB drive using Ventoy2Disk (Windows) or the shell script (Linux). During installation, ensure you select GPT as the partition style — this is required for UEFI boot. Once installed, copy your ISO files onto the drive. Ventoy is now ready, but it will not boot on a Secure Boot machine until you enrol the key.
Boot from the USB and launch MokManager
Insert the Ventoy USB and boot from it (press F12, F2, or Esc during startup to reach the boot menu — the key varies by manufacturer). On the first boot with Secure Boot enabled, instead of Ventoy's normal ISO selection menu, you will see a blue screen titled Shim UEFI Key Management or MokManager. This is the enrollment utility. If you see a "Security Violation" error instead, your BIOS may need the boot order adjusted to prioritise the USB's UEFI boot entry specifically. Some older machines list separate Legacy and UEFI entries for the same USB drive.
Enrol the key from disk
In MokManager, select "Enroll key from disk". Navigate to the Ventoy partition — it is typically labelled VTOYEFI or appears as the first FAT32 partition on the USB. Inside, find and select the certificate file, usually named ENROLL_THIS_KEY_IN_MOKMANAGER.cer. Confirm the enrollment when prompted. MokManager may ask you to set a one-time password — this password is only used if you need to repeat the process and is not stored permanently.
Reboot and verify
After enrolling the key, select "Continue boot" or "Reboot". On the next boot from the USB, Ventoy's normal ISO selection menu should appear. Secure Boot remains enabled, and Ventoy is now trusted by your firmware. The enrolled key persists across reboots and power cycles — you do not need to repeat this process unless you reset your BIOS to factory defaults, which clears all enrolled MOK keys.
Disabling Secure Boot: The Simpler Path
If MOK enrollment fails, if MokManager does not appear, or if you simply want the quickest path to a working Ventoy boot, disabling Secure Boot is the alternative. The process varies by BIOS manufacturer, but the general steps are consistent.
Enter BIOS/UEFI settings
Restart the machine and press the BIOS entry key during POST. Common keys: F2 (Lenovo, Acer, Asus), F10 (HP), Del (desktop motherboards). On some machines you can hold Shift while clicking Restart in Windows to reach the UEFI firmware settings through the Advanced Startup menu.
Locate the Secure Boot setting
The Secure Boot option is typically under Security, Boot, or Authentication tabs depending on the BIOS manufacturer. On Lenovo ThinkPads, it is under Security → Secure Boot. On HP machines, it is under Security → Secure Boot Configuration. On Dell machines, it is under Secure Boot → Secure Boot Enable. If you cannot find it, look for a "Boot Mode" setting — some BIOSes combine Secure Boot and Legacy/UEFI selection into a single option.
Disable Secure Boot and save
Change the Secure Boot setting to Disabled. Some BIOSes require you to set a supervisor password before allowing Secure Boot changes — if prompted, set a password, then change the Secure Boot setting. Save and exit (usually F10). The machine will reboot with Secure Boot disabled.
Boot from Ventoy USB
With Secure Boot disabled, the Ventoy USB should boot directly to its ISO selection menu without any MOK enrollment step. All ISOs on the drive — Linux distributions, Windows installers, diagnostic tools — should be bootable. If the USB still does not boot, the issue is likely boot order or partition style rather than Secure Boot. Check the USB boot troubleshooting guide for next steps.
MOK Enrollment vs Disabling Secure Boot: Pros and Cons
| Factor | MOK Enrollment (Method A) | Disable Secure Boot (Method B) |
|---|---|---|
| Secure Boot status | Remains enabled | Disabled |
| Windows compatibility | No impact on Windows dual-boot | May trigger BitLocker recovery key prompt |
| Setup complexity | Moderate — MokManager can be confusing first time | Simple — single BIOS toggle |
| Persistence | Key persists until BIOS reset | Remains disabled until manually re-enabled |
| Security posture | Only Ventoy's bootloader is additionally trusted | All bootloaders are trusted — wider attack surface |
| BIOS compatibility | Some older BIOSes do not support MOK properly | Works on all UEFI systems |
| Future OS installs | Installed OS retains Secure Boot protection | Installed OS runs without Secure Boot verification |
My recommendation: Use MOK enrollment (Method A) as the default approach. It preserves the security benefits of Secure Boot while allowing Ventoy to operate. Fall back to disabling Secure Boot (Method B) only if MOK enrollment fails — which happens on some older machines with incomplete UEFI implementations — or if you are working on a standalone Linux machine where Secure Boot provides minimal practical benefit.
BIOS Firmware Quirks on Older PCs
Older machines — particularly those from 2012—2016 — have UEFI implementations that range from solid to deeply eccentric. Here are the firmware-specific issues I encounter most frequently when booting Ventoy, and their workarounds.
MokManager does not appear (blank screen or immediate reboot)
Some older HP and Acer BIOSes have incomplete shim support. The UEFI firmware loads Ventoy's shim bootloader but fails to hand off to MokManager correctly. The machine either shows a blank screen for several seconds and reboots, or boots directly into Windows ignoring the USB entirely. Workaround: disable Secure Boot (Method B). On these machines, MOK enrollment is not viable due to firmware limitations.
Secure Boot option greyed out in BIOS
Several Lenovo and Dell BIOSes require a supervisor/admin password to be set before Secure Boot can be modified. If the Secure Boot toggle is greyed out, go to the Security tab, set an admin password, save and reboot, then re-enter BIOS. The Secure Boot option should now be editable. After making your change, you can clear the admin password if desired.
UEFI boot entry disappears after reboot
Some older Toshiba and Samsung BIOSes have a bug where custom UEFI boot entries — including the one Ventoy relies on — are deleted after each reboot. The USB boots once, then the machine ignores it on subsequent boots. Workaround: access the boot menu manually (F12) each time rather than relying on saved boot order. Alternatively, update the BIOS firmware if a newer version is available from the manufacturer.
Legacy/CSM mode confusion
On machines that support both Legacy and UEFI boot, the BIOS may default to Legacy mode or have CSM (Compatibility Support Module) enabled. Ventoy requires UEFI boot for Secure Boot functionality. If your boot menu shows the USB drive without a "UEFI:" prefix, you are booting in Legacy mode. Enter BIOS, disable CSM or switch the boot mode to "UEFI Only," and try again. The dual-boot safety notes cover related considerations if you are maintaining both Windows and Linux.
Recovery Steps: If Something Goes Wrong
Neither MOK enrollment nor disabling Secure Boot can permanently damage your machine. Both changes are reversible. Here is how to recover from common issues.
BitLocker recovery prompt after disabling Secure Boot
If you disabled Secure Boot on a Windows machine with BitLocker encryption, Windows may prompt for a BitLocker recovery key on the next boot. This is a security feature, not data loss. Retrieve your recovery key from your Microsoft account (account.microsoft.com/devices/recoverykey) or from wherever your organisation stores keys. Enter it, and Windows will boot normally. To avoid this in the future, suspend BitLocker before changing Secure Boot settings: open an admin Command Prompt and run manage-bde -protectors -disable C:.
Re-enabling Secure Boot after using Method B
Enter BIOS, navigate to the Secure Boot setting, and change it back to Enabled. Save and exit. If you installed a Linux distribution while Secure Boot was disabled, verify that the distribution supports Secure Boot natively (Ubuntu, Fedora, Linux Mint, and most major distributions do). If it does, the OS will continue to boot normally. If it does not — some niche distributions and custom kernels lack Secure Boot signatures — you will need to either keep Secure Boot disabled or enrol the distribution's own MOK key.
Clearing an enrolled MOK key
If you enrolled Ventoy's MOK key and want to remove it, you can reset your Secure Boot keys to factory defaults in BIOS. Look for an option called "Reset to Setup Mode," "Restore Factory Keys," or "Clear Secure Boot Keys" in the Security or Secure Boot configuration menu. This removes all custom MOK enrollments and returns the firmware to its original trusted key set.
When to Use Each Method
The right approach depends on your specific situation. Here is a quick decision framework.
- Use MOK enrollment if you dual-boot Windows, if your machine has BitLocker enabled, if you want to maintain Secure Boot's protection for your installed OS, or if you are setting up a shared family machine where security posture matters.
- Disable Secure Boot if MOK enrollment fails on your BIOS, if the machine runs Linux exclusively, if you are using the machine purely for testing and installation purposes, or if you want the absolute simplest path to a working Ventoy boot.
- Try MOK first in all cases. It takes 30 seconds when it works, and if it fails you lose nothing — you simply proceed to Method B.
For most older PCs being repurposed with Linux — which is the primary use case for readers of this site — MOK enrollment is the cleaner approach when it works. If you are wiping Windows entirely and installing a lightweight Linux distribution, Secure Boot provides less practical benefit and disabling it is a reasonable trade-off. If you are setting up a dual-boot environment, keep Secure Boot enabled with MOK enrollment to avoid BitLocker complications and maintain the security chain for your Windows installation.
Frequently Asked Questions
The Bottom Line
Ventoy's Secure Boot conflict is a speed bump, not a roadblock. MOK enrollment is the cleaner solution — it takes 30 seconds, preserves your Secure Boot protection, and only needs to be done once per machine. Disabling Secure Boot is the fallback for machines with incomplete UEFI implementations where MOK enrollment fails, or for standalone Linux machines where Secure Boot provides minimal additional value.
Try MOK enrollment first. If it works, you are done. If it does not, disable Secure Boot and move on. Neither approach can damage your machine, both are fully reversible, and once resolved you have access to one of the most useful tools for managing older PCs — a single USB drive that can boot any operating system you need.