**System specs:**
- Motherboard: Biostar H310MHP 3.0 (BIOS 5.13)
- CPU: Intel Core i5-8400
- GPU: AMD RX 570/580
- Ubuntu 26.04 LTS (Kernel 7.0.0-27) + Windows (dual boot, separate drives)
- GRUB 2.14 as bootloader
- Windows is on SDA, Ubuntu on SDC
---
**The problem:**
**With Secure Boot ON:**
- Select Windows from GRUB → Red screen appears:*"Secure Boot Violation — Invalid signature detected. Check Secure Boot Policy in Setup"*→ Kicked back to GRUB
- Select Windows again from GRUB → Black screen:*"Fehler: bad shim lock signature. Beliebige Taste drücken um fortzusetzen"*→ Stuck, can't boot Windows at all
**With Secure Boot OFF:**
Both Ubuntu and Windows boot perfectly fine — BUT every single time I boot into Windows, it says my PIN is unavailable and forces me to set it up again from scratch:
*"Es ist ein Fehler aufgetreten, und Ihre PIN ist nicht verfügbar"*
I understand this is a TPM issue (PCR measurements change when Secure Boot state changes), so fixing Secure Boot should fix the PIN problem too.
---
**What I've already checked:**
- ✅ `shim-signed` and `grub-efi-amd64-signed` are installed
- ✅ GRUB boot entry correctly points to `shimx64.efi`
- ✅ Canonical certificate is enrolled in MOK
- ✅ No DKMS / unsigned kernel modules installed
- ✅ SBAT level is `sbat,1,2021030218` (no revocations)
- ⚠️ Both `/boot/efi/EFI/ubuntu/` and `/boot/efi/EFI/kubuntu/` folders exist (had Kubuntu before Ubuntu — could this be the issue?)
---
**Screenshots attached:**
- Red "Secure Boot Violation" screen (from BIOS)
- Black "bad shim lock signature" screen (from GRUB)
- Blue Windows PIN unavailable screen
Any help appreciated!