Hi everyone, I want to share my recent troubleshooting experience because I think it may help other users who run into a similar Secure Boot issue.

Summarized Version

I ran into a Secure Boot issue where VALORANT showed VAN: STATUS_SB_POLICY even though Windows Secure Boot is enabled.

After following the common advice to restore Secure Boot factory keys in BIOS, Windows stopped booting entirely when Secure Boot was enabled and kept returning to the Boot Menu.

The fix that allowed Windows to boot again was Microsoft’s SecureBootRecovery.efi tool, which restored the missing/newer Secure Boot certificate database entries, especially related to the newer Windows UEFI CA 2023 update.

My current understanding is:

• BIOS “Restore Factory Keys” may restore an older Secure Boot database.
• Windows may already depend on newer Secure Boot 2023 certificate entries.
• Restoring factory keys can remove or replace the needed entries, causing Windows Boot Manager to fail under Secure Boot.
• SecureBootRecovery.efi can restore the missing Secure Boot DB entries and allow Windows to boot again.
• However, VALORANT / Vanguard may still reject the Secure Boot policy even after Windows accepts it.

So the issue may involve a underlying conflict between BIOS factory Secure Boot keys, Microsoft’s Secure Boot 2023 certificate migration, and Riot Vanguard’s Secure Boot validation.

Thus, there's nothing users can do about it.

Detailed Version

Device

• Lenovo Legion laptop
• AMD Ryzen 9 5900HX
• NVIDIA RTX 3060 Laptop GPU
• Windows 11
• BIOS version: HACN46WW
• BIOS reported as up to date by Lenovo Vantage

Initial issue

VALORANT started showing:

VAN: STATUS_SB_POLICY

The message said:

>

At first, this was confusing because Windows showed:

• BIOS Mode: UEFI
• Secure Boot State: On
• TPM 2.0 ready

So from Windows’ point of view, Secure Boot was already enabled.

What happened after trying the common fix

Following the common advice, I went into BIOS and tried to restore / reinstall Secure Boot factory keys.

After doing that, the problem got worse:

• Secure Boot Disabled → Windows booted normally
• Secure Boot Enabled → the laptop went straight to Boot Menu
• Selecting Windows Boot Manager just returned to the same Boot Menu
• Selecting the SSD directly also did not boot Windows

So the issue changed from “VALORANT does not accept Secure Boot” to “Windows cannot boot at all when Secure Boot is enabled.”

Things I tried that did NOT fix it

I tried many common repair steps:

mountvol S: /S
bcdboot C:\Windows /s S: /f UEFI

and also:

mountvol S: /S
bcdboot C:\Windows /s S: /f UEFI /c
mountvol S: /D

I also tried:

bcdedit /set testsigning off
bcdedit /set nointegritychecks off
bcdedit /set debug off
bcdedit /set bootdebug off
bcdedit /set hypervisorlaunchtype auto
bcdedit /deletevalue loadoptions

Other things I tried:

• SFC / DISM repair
• System Restore
• Windows 11 in-place repair installation while keeping files and apps
• Reinstalling Riot Vanguard
• Checking TPM 2.0
• Checking BIOS updates through Lenovo Vantage
• Loading BIOS defaults
• Restoring Secure Boot factory keys again

None of these fixed the Secure Boot boot-loop issue.

What actually allowed Windows to boot again with Secure Boot enabled

The key fix was using Microsoft’s SecureBootRecovery.efi.

I created a FAT32 USB drive with this path:

EFI\BOOT\bootx64.efi

The file was copied from:

C:\Windows\Boot\EFI\SecureBootRecovery.efi

and renamed to:

bootx64.efi

Then I enabled Secure Boot, booted from the USB through the Lenovo Boot Menu, and let the recovery tool run.

After that, Windows finally booted normally with Secure Boot enabled again.

After booting into Windows:

Confirm-SecureBootUEFI

returned:

True

And msinfo32 showed:

BIOS Mode: UEFI
Secure Boot State: On

I also checked that Windows UEFI CA 2023 was present in the Secure Boot DB, and it returned true.

My current understanding of the issue

My understanding is:

The Lenovo BIOS “Restore Factory Keys” option may restore an older Secure Boot DB that does not properly include the newer Windows Secure Boot 2023 certificate chain.

As a result:

• Windows may require the newer Secure Boot certificate / DB state to boot.
• Lenovo BIOS factory defaults may revert the Secure Boot DB to an older state.
• Windows then fails to boot under Secure Boot and returns to Boot Menu.
• SecureBootRecovery.efi restores the missing Secure Boot certificate / DB entries, allowing Windows to boot again.

This also explains why normal Windows boot repair commands like bcdboot, SFC/DISM, and even an in-place repair did not help. The issue was not simply the Windows Boot Manager file. It was the Secure Boot trust database / certificate state.

Important warning

If your Windows can boot only when Secure Boot is disabled, be careful with repeatedly using:

• Restore Factory Keys
• Install Default Secure Boot Keys
• Clear Secure Boot Keys
• Reset to Setup Mode

In my case, restoring factory keys made Windows unable to boot with Secure Boot enabled until I used SecureBootRecovery.efi.

Current status

The Windows boot problem is fixed now:

• Secure Boot enabled
• Windows boots normally
• Confirm-SecureBootUEFI returns True
• TPM 2.0 ready
• Windows UEFI CA 2023 present in DB

However, VALORANT / Vanguard still shows VAN: STATUS_SB_POLICY.

So now the strange part is:

Windows accepts Secure Boot, but Vanguard still says the Secure Boot policy/database cannot be verified and asks for factory defaults. But on my laptop, restoring factory defaults breaks Windows boot again.

My takeaway

This seems to be a conflict between:

• Lenovo BIOS factory Secure Boot DB
• Microsoft’s newer Secure Boot 2023 certificate update process
• Riot Vanguard’s Secure Boot policy check

For anyone facing the same problem, I would suggest checking SecureBootRecovery.efi before doing a full clean install or assuming the SSD / Windows installation is broken.

If anyone has successfully fixed the remaining Vanguard STATUS_SB_POLICY error, I would really appreciate hearing what finally worked.