• Secure Boot


    My W10 Pro64 is ready for W11 apart from an issue identified by Windows. That keeps telling me that I must enable Secure Boot in the UEFI. It is enabled there, but it seems that Windows cannot see that. I have searched online for a solution but all I can find are offers to download software (which I do not like unless recommended by AskWoody) or seem to involve various tweaks to the registry – again something I do not like doing.

    Any advice as to what to do? My hardware exceeds the W11 requirements and TPM is on.
    Many thanks,


    Viewing 11 reply threads
    • #2454741

      Download portable free WhyNotW11 and post results.

    • #2454746

      It could be anything in the pre-boot environment isn’t up to par is reverting to CSM, from in some cases running a MBR drive with UEFI settings, to as added OEM boot time utility not signed for Windows 10.

      It might even be worth checking the settings for things like boot order and legacy USB support. For example with that enabled and a card reader installed, sometimes even if there is no card installed (as that’s down to the firmware in the reader) the device can present as “bootable” and if the BIOS is set boot USB devices first then it will try to boot that card reader, first as UEFI then CSM mode, and then might not change back to UEFI on some older BIOS versions before continuing the boot process as that constitutes a boot failure at that device anyway.

      Windows will still start (as Windows places both boot topologies on the system even when booting UEFI so you have some hope if getting into the OS should the BIOS settings mess up) it has still started in CSM mode, that is to say, it is not secure, and thus secure boot has not been achieved.. even if the BIOS has been set to attempt to pass that test.

      Alternatively if it’s a desktop, unplug all the drives and plug in peripherals you aren’t using, ensure USB legacy support is off in the BIOS and you’re booting hard disk first for an “in Windows” upgrade (making a note of any custom BIOS changes you made would be helpful as a USB keyboard might not get you back into the BIOS with that setting, you could have to reset by jumper and start over to go back..) and try again..

    • #2454745

      Boot Method: Legacy

      Disk Partion: GPT Not Detected

      Secure Boot: Disabled/Not Detected

    • #2454759

      Unusual to have W10 on a non-GPT partition. Is this an upgrade from an old system?

      Boot into the BIOS / EFI and check if you can enable secure boot – don’t actually do it.

      What is the model of PC?

      cheers, Paul

    • #2454774

      In order to install Win11 the boot method in the BIOS needs to be set for UEFI and Secure Boot needs to be enabled.

      As for the Disk Partition needing to be GPT, if your drive meets the qualifications for it, you can use mbr2gpt.exe (included in Windows 10) to do an “in place” conversion from MBR to GPT without losing any data.

      To check whether a drive can be successfully converted to GPT open an “elevated” command prompt and enter

      mbr2gpt.exe /validate /allowFullOS

      If it returns “MBR2GPT: Validation completed successfully“, you’re good to do the conversion.


      You should make a full backup before doing the conversion and it should be done while the OS is off-line (i.e. in recovery mode)

      To do the actual conversion…

      Settings > Update & Security > Recovery and under the “Advanced startup” section on the right, click the Restart now button to boot into Recovery Mode

      Once in Recovery mode, select Troubleshooting > Advanced options > Command Prompt.

      Login with an “Administrator” account and run

      C:\Windows\System32\mbr2gpt.exe /convert

      Once the conversion is done, power off your PC and then power it back on.

      Note: the conversion can not be undone (which is why you must make a backup beforehand) and the boot method in the BIOS must be changed to UEFI or the drive won’t boot!

      • #2454920

        Login with an “Administrator” account…

        OK, “dumb” question time, but it bears asking: By that statement, do you mean the built-in Administrator account, or any account that has Administrator privileges?

        • #2455134

          OK, “dumb” question time, but it bears asking: By that statement, do you mean the built-in Administrator account, or any account that has Administrator privileges?

          As I regularly tell my Uncle under similar circumstances:

          When it comes to computers and the S/W they run, there’s really no such thing as a “dumb” question.

          Any account with Administrator privileges will work.

          1 user thanked author for this post.
      • #2454925

        @alejr ( @bigal67 )-

        Do you remember how to tell, from within a running copy of Windows, whether a disk is set to MBR or GPT?

        I seem to recall having to go into the disk management module and then having to right click on the drive letter of the drive in question, but I don’t remember what to do after that.

        Doing so will help David find out if he indeed had his boot drive configured to MBR instead of GPT.

        • #2455047

          Do you remember how to tell, from within a running copy of Windows, whether a disk is set to MBR or GPT?

          Open Disk Management (diskmgmt.msc) and, in the bottom section, right-click the disk # you want to check (i.e. Disk 0), and select Properties

          Select the Volumes tab and the Partition Style: entry will show whether it’s MBR or GPT.

          Note: selecting the properties option by right-clicking a drive letter in explorer doesn’t display this info.


          1 user thanked author for this post.
        • #2455049

          Thanks, I get mbr.

        • #2456749

          Thanks for the reminder! I knew that I had to right click, just didn’t remember the right place in the diskmgmt snap-in to do so.

      • #2455027

        I followed the procedure for checking if my drive could be converted to gpt mentioned in post #2454774 and fot the response Validation completed successfully.

        Next step is to do the conversion – but I need to back-up more files, Thanks.

        I will also await your advice about the Asus board.

    • #2454773

      Hi Paul,

      My rig was built for me by Chillblast, UK. I replaced the motherboard, chip, RAM and graphics card 2 years ago:

      Intel(R) Core(TM) i9-9900K CPU @ 3.60GHz 3.60 GHz


      C drive: Samsung SSD 860 EVO 250GB 49% used.

      I upgraded from W8 to W10 a few years ago.

      UEFI/BIOS shows Secure Boot as enabled.


      • #2454819

        what kind of motherboard, David?
        important to mention the brand & model of the motherboard because you said you replaced it a few years ago and it may have different uefi/bios options than the previous motherboard you had.

      • #2454964

        A legacy boot is a MBR/BIOS type boot, and these do not work with Secure Boot, even if you have that enabled in the UEFI settings.

        As @alejr wrote above, it will be necessary to convert the MBR setup to a GPT setup. That should allow secure boot to work, which in turn should allow the upgrade.

        Dell XPS 13/9310, i5-1135G7/16GB, Kubuntu 22.04
        XPG Xenia 15, i7-9750H/16GB & GTX1660ti, Kubuntu 22.04

    • #2454888

      Asus PRIME B360-PLUS Motherboard.

      This replaced a similar motherboard, supplied in 2019 that developed a fault. The supplier could not fix it so replaced it with another board of the same type. He also fitted new RAM and a new chip in case the fault was in one of those items.

      These were:

      Intel Core i9-9900K CPU, 8 Cores / 16 Threads, 3.6 – 5.0GHz

      16GB DDR4 2666MHz Memory (2 x 8GB Sticks)

      • #2454908

        Since you say that you have already enabled Secure Boot in your UEFI/BIOS, then the advice given by @alejr ( @bigal67 )in post 2454774 above is pertinent. Please read it carefully and completely before proceeding with any part of it.

        Please pay particular attention to the fact that you must fully enable UEFI within the UEFI/BIOS setup for it to work as intended.

        In my case (I don’t have an Asus board with the B360 chipset, I have a Gigabyte board with the B365 chipset), that means going into the UEFI/BIOS setup and changing it from a legacy boot to UEFI boot, and then changing my SSD’s formatting from MBR to GPT. That’s the process described in the post I linked to above.

        EDIT: Well, I just looked at your motherboard’s manual for guidance on just what the settings area should look like in order to change the setup from Legacy boot to UEFI boot, but the manual was useless for this endeavor. It just glossed over the fact that you can toggle between the easy mode and advanced mode by toggling the F7 key. There is no description of what’s in the advanced menus, which is where you need to go to make sure the machine boots into UEFI mode instead of Legacy mode. Instead of a section describing the advanced settings in detail, it just had a QR code to scan that will take you to the FAQ page where they expect you to search for an answer.

        Because of my poor experience with the exact manual for the board, I’m going to try and see if there is better guidance in motherboard manuals for other boards from Asus that have the 360 chipset and possibly even the 365 chipset. My goal is to be able to guide you to the right area, having a decent idea of just what you’re looking for.

        EDIT number 2: I found a manual from another Asus board with the B360 chipset that has detailed guidance with regards to the advanced menu settings. I’m waiting to see what comes of others’ advice before proceeding with any instructions with regards to the BIOS settings.

        • This reply was modified 1 week, 1 day ago by Bob99.
        • This reply was modified 1 week, 1 day ago by Bob99.
    • #2455007

      To see what boot mode Windows is actually using, read this post: #2175039

      cheers, Paul

      1 user thanked author for this post.
    • #2455025

      Thanks, Paul. I get winload.exe. So, I have to work out how to change the SSD format from mbr to gpt.

    • #2455060

      The manual for the ASUS ROG Strix B360-G Gaming motherboard and my own ASUS ROG Maximus XI Gene Z390 motherboard show the following BIOS options for UEFI.

      Your ASUS Prime B360-Plus Motherboard “should” be the same.

      Enter BIOS setup (press F2 or Delete when prompted during boot) and select the BOOT menu.

      Launch CSM must be “Enabled” to see the following option.

      Boot Devices Control

        UEFI and Legacy OPROM
        Legacy OPROM only
        UEFI only

      The 1st option will work with both MBR and GPT drives.

      The 2nd option will only work with MBR drives.

      The 3rd option will only work with GPT drives.

      • #2455078

        CSM currently set at UEFI and Legacy. Does this need to be changed to UEFI only?

        • #2455129

          CSM currently set at UEFI and Legacy. Does this need to be changed to UEFI only?

          As I pointed out, that particular setting works just fine to boot drives using either MBR/Legacy mode or GPT/UEFI mode.

          If you really want to, you can change it to UEFI only, but only after you’ve converted the Windows drive to GPT/UEFI mode.

          If you change it “before” completing the conversion, the BIOS won’t recognize the drive as being bootable!

    • #2455072

      Don’t change the SSD format – yet.

      Converting from MBR to UEFI means reinstalling.

      See this article.

      cheers, Paul

      1 user thanked author for this post.
      • #2455102

        Not true anymore, you can use mbr2gpt.exe from the Windows Recovery Environment to do the conversion. I’ve done it several times.

        1 user thanked author for this post.
    • #2455429

      Many thanks to all the advice and guidance that has been provided to me. I have now managed to prepare my PC for W11 – but will hold off the upgrade a little longer. I have learned a lot more about my PC and Windows than I expected,which i very much appreciate. Thank you all.

    Viewing 11 reply threads
    Reply To: Secure Boot

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: