Secure Boot

Topic

New Reply

My W10 Pro64 is ready for W11 apart from an issue identified by Windows. That keeps telling me that I must enable Secure Boot in the UEFI. It is enabled there, but it seems that Windows cannot see that. I have searched online for a solution but all I can find are offers to download software (which I do not like unless recommended by AskWoody) or seem to involve various tweaks to the registry – again something I do not like doing.

Any advice as to what to do? My hardware exceeds the W11 requirements and TPM is on.
Many thanks,

David

Reply | Quote

Replies

Download portable free WhyNotW11 and post results.

Reply | Quote

It could be anything in the pre-boot environment isn’t up to par is reverting to CSM, from in some cases running a MBR drive with UEFI settings, to as added OEM boot time utility not signed for Windows 10.

It might even be worth checking the settings for things like boot order and legacy USB support. For example with that enabled and a card reader installed, sometimes even if there is no card installed (as that’s down to the firmware in the reader) the device can present as “bootable” and if the BIOS is set boot USB devices first then it will try to boot that card reader, first as UEFI then CSM mode, and then might not change back to UEFI on some older BIOS versions before continuing the boot process as that constitutes a boot failure at that device anyway.

Windows will still start (as Windows places both boot topologies on the system even when booting UEFI so you have some hope if getting into the OS should the BIOS settings mess up) it has still started in CSM mode, that is to say, it is not secure, and thus secure boot has not been achieved.. even if the BIOS has been set to attempt to pass that test.

Alternatively if it’s a desktop, unplug all the drives and plug in peripherals you aren’t using, ensure USB legacy support is off in the BIOS and you’re booting hard disk first for an “in Windows” upgrade (making a note of any custom BIOS changes you made would be helpful as a USB keyboard might not get you back into the BIOS with that setting, you could have to reset by jumper and start over to go back..) and try again..

Reply | Quote

Boot Method: Legacy

Disk Partion: GPT Not Detected

Secure Boot: Disabled/Not Detected

Reply | Quote

Unusual to have W10 on a non-GPT partition. Is this an upgrade from an old system?

Boot into the BIOS / EFI and check if you can enable secure boot – don’t actually do it.

What is the model of PC?

cheers, Paul

Reply | Quote

In order to install Win11 the boot method in the BIOS needs to be set for UEFI and Secure Boot needs to be enabled.

As for the Disk Partition needing to be GPT, if your drive meets the qualifications for it, you can use mbr2gpt.exe (included in Windows 10) to do an “in place” conversion from MBR to GPT without losing any data.

To check whether a drive can be successfully converted to GPT open an “elevated” command prompt and enter

mbr2gpt.exe /validate /allowFullOS

If it returns “MBR2GPT: Validation completed successfully“, you’re good to do the conversion.

WARNING

You should make a full backup before doing the conversion and it should be done while the OS is off-line (i.e. in recovery mode)

To do the actual conversion…

Settings > Update & Security > Recovery and under the “Advanced startup” section on the right, click the Restart now button to boot into Recovery Mode

Once in Recovery mode, select Troubleshooting > Advanced options > Command Prompt.

Login with an “Administrator” account and run

C:\Windows\System32\mbr2gpt.exe /convert

Once the conversion is done, power off your PC and then power it back on.

Note: the conversion can not be undone (which is why you must make a backup beforehand) and the boot method in the BIOS must be changed to UEFI or the drive won’t boot!

Reply | Quote

Login with an “Administrator” account…

OK, “dumb” question time, but it bears asking: By that statement, do you mean the built-in Administrator account, or any account that has Administrator privileges?

Reply | Quote

Bob99 wrote:

OK, “dumb” question time, but it bears asking: By that statement, do you mean the built-in Administrator account, or any account that has Administrator privileges?

As I regularly tell my Uncle under similar circumstances:

When it comes to computers and the S/W they run, there’s really no such thing as a “dumb” question.

Any account with Administrator privileges will work.

1 user thanked author for this post.

Bob99

Reply | Quote

@alejr ( @bigal67 )-

Do you remember how to tell, from within a running copy of Windows, whether a disk is set to MBR or GPT?

I seem to recall having to go into the disk management module and then having to right click on the drive letter of the drive in question, but I don’t remember what to do after that.

Doing so will help David find out if he indeed had his boot drive configured to MBR instead of GPT.

Reply | Quote

Bob99 wrote:

Do you remember how to tell, from within a running copy of Windows, whether a disk is set to MBR or GPT?

Open Disk Management (diskmgmt.msc) and, in the bottom section, right-click the disk # you want to check (i.e. Disk 0), and select Properties

Select the Volumes tab and the Partition Style: entry will show whether it’s MBR or GPT.

Note: selecting the properties option by right-clicking a drive letter in explorer doesn’t display this info.

 

1 user thanked author for this post.

Bob99

Reply | Quote

Thanks, I get mbr.

Reply | Quote

Thanks for the reminder! I knew that I had to right click, just didn’t remember the right place in the diskmgmt snap-in to do so.

Reply | Quote

I followed the procedure for checking if my drive could be converted to gpt mentioned in post #2454774 and fot the response Validation completed successfully.

Next step is to do the conversion – but I need to back-up more files, Thanks.

I will also await your advice about the Asus board.

Reply | Quote

Hi Paul,

My rig was built for me by Chillblast, UK. I replaced the motherboard, chip, RAM and graphics card 2 years ago:

Intel(R) Core(TM) i9-9900K CPU @ 3.60GHz 3.60 GHz

RAM:16GB

C drive: Samsung SSD 860 EVO 250GB 49% used.

I upgraded from W8 to W10 a few years ago.

UEFI/BIOS shows Secure Boot as enabled.

David

Reply | Quote

what kind of motherboard, David?
important to mention the brand & model of the motherboard because you said you replaced it a few years ago and it may have different uefi/bios options than the previous motherboard you had.

Reply | Quote

A legacy boot is a MBR/BIOS type boot, and these do not work with Secure Boot, even if you have that enabled in the UEFI settings.

As @alejr wrote above, it will be necessary to convert the MBR setup to a GPT setup. That should allow secure boot to work, which in turn should allow the upgrade.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

Reply | Quote

Asus PRIME B360-PLUS Motherboard.

This replaced a similar motherboard, supplied in 2019 that developed a fault. The supplier could not fix it so replaced it with another board of the same type. He also fitted new RAM and a new chip in case the fault was in one of those items.

These were:

Intel Core i9-9900K CPU, 8 Cores / 16 Threads, 3.6 – 5.0GHz

16GB DDR4 2666MHz Memory (2 x 8GB Sticks)

Reply | Quote

[Bob99]

Since you say that you have already enabled Secure Boot in your UEFI/BIOS, then the advice given by @alejr ( @bigal67 )in post 2454774 above is pertinent. Please read it carefully and completely before proceeding with any part of it.

Please pay particular attention to the fact that you must fully enable UEFI within the UEFI/BIOS setup for it to work as intended.

In my case (I don’t have an Asus board with the B360 chipset, I have a Gigabyte board with the B365 chipset), that means going into the UEFI/BIOS setup and changing it from a legacy boot to UEFI boot, and then changing my SSD’s formatting from MBR to GPT. That’s the process described in the post I linked to above.

EDIT: Well, I just looked at your motherboard’s manual for guidance on just what the settings area should look like in order to change the setup from Legacy boot to UEFI boot, but the manual was useless for this endeavor. It just glossed over the fact that you can toggle between the easy mode and advanced mode by toggling the F7 key. There is no description of what’s in the advanced menus, which is where you need to go to make sure the machine boots into UEFI mode instead of Legacy mode. Instead of a section describing the advanced settings in detail, it just had a QR code to scan that will take you to the FAQ page where they expect you to search for an answer.

Because of my poor experience with the exact manual for the board, I’m going to try and see if there is better guidance in motherboard manuals for other boards from Asus that have the 360 chipset and possibly even the 365 chipset. My goal is to be able to guide you to the right area, having a decent idea of just what you’re looking for.

EDIT number 2: I found a manual from another Asus board with the B360 chipset that has detailed guidance with regards to the advanced menu settings. I’m waiting to see what comes of others’ advice before proceeding with any instructions with regards to the BIOS settings.

• This reply was modified 2 years, 10 months ago by Bob99.
• This reply was modified 2 years, 10 months ago by Bob99.

Reply | Quote

To see what boot mode Windows is actually using, read this post: #2175039

cheers, Paul

1 user thanked author for this post.

windbg

Reply | Quote

Thanks, Paul. I get winload.exe. So, I have to work out how to change the SSD format from mbr to gpt.

Reply | Quote

The manual for the ASUS ROG Strix B360-G Gaming motherboard and my own ASUS ROG Maximus XI Gene Z390 motherboard show the following BIOS options for UEFI.

Your ASUS Prime B360-Plus Motherboard “should” be the same.

Enter BIOS setup (press F2 or Delete when prompted during boot) and select the BOOT menu.

Launch CSM must be “Enabled” to see the following option.

Boot Devices Control

UEFI and Legacy OPROM
Legacy OPROM only
UEFI only

The 1st option will work with both MBR and GPT drives.

The 2nd option will only work with MBR drives.

The 3rd option will only work with GPT drives.

Reply | Quote

CSM currently set at UEFI and Legacy. Does this need to be changed to UEFI only?

Reply | Quote

David Knevett wrote:

CSM currently set at UEFI and Legacy. Does this need to be changed to UEFI only?

As I pointed out, that particular setting works just fine to boot drives using either MBR/Legacy mode or GPT/UEFI mode.

If you really want to, you can change it to UEFI only, but only after you’ve converted the Windows drive to GPT/UEFI mode.

If you change it “before” completing the conversion, the BIOS won’t recognize the drive as being bootable!

Reply | Quote

@alejr

Regarding turning Secure Boot on within an ASUS Motherboard:

I have an ASUS Rog Strix Z370-E Gaming board that came in my Maingear computer and Secure Boot has never been activated.

My disk partition is GPT, Bios Mode is UEFI.

The Motherboard BOOT menu > Secure Boot >OS Type is currently set to “Other OS” which I understand on an ASUS board means Secure Boot is OFF/DISABLED.  This has to be switched to “Windows UEFI Mode” to turn Secure Boot ON/Enabled – correct?

Another confusing item with an ASUS board is the CSM setting(s). Some say the CSM needs to be turned OFF to enable/use Secure Boot, others (perhaps you included) say CSM > Launch CSM > Enabled > Boot Devices Control can be set with Secure Boot at the same time.

As I said, Secure Boot has never been set on my computer and the CSM was originally set per above at “UEFI only”.  However this would not allow me to boot from a CD so we changed the setting to “UEFI Legacy OPROM” which solved the problem.

Can I leave the CSM at the above current setting and still turn on Secure Boot? Or does CSM need to be completely turned OFF, or only use the “UEFI only” setting?

Windows 10 Pro x64 v22H2 and Windows 7 Pro SP1 x64 (RIP)

Reply | Quote

Tex265 wrote:

The Motherboard BOOT menu > Secure Boot >OS Type is currently set to “Other OS” which I understand on an ASUS board means Secure Boot is OFF/DISABLED. This has to be switched to “Windows UEFI Mode” to turn Secure Boot ON/Enabled – correct?

No, you enable/disable secure boot by changing the Secure Boot state option.

Secure boot can also be used with OS’s other than Windows (like Linux) and that’s what the OS Type setting is for (of course, if it’s set to Other OS, then Windows won’t be able to use Secure Boot which means it’ll “act” like it’s disabled even with the state set to Enabled.

 

Tex265 wrote:

Another confusing item with an ASUS board is the CSM setting(s). Some say the CSM needs to be turned OFF to enable/use Secure Boot, others (perhaps you included) say CSM > Launch CSM > Enabled > Boot Devices Control can be set with Secure Boot at the same time.

CSM and Secure Boot are “sorta” related, but only because Windows must be setup for UEFI to use Secure Boot.

CSM’s (Compatibility Support Module) real function is to enable/disable “boot support” for legacy devices that may or may not be in use on your PC (like that CD you have.)

The CSM setting in the BIOS on many older motherboards only had Enabled/Disabled (or sometimes Legacy/Disabled) options where disabled = UEFI boot support.

On most modern BIOS, like our Asus motherboards, it’s quite a bit more nuanced with lots of options to give more control over exactly how your PC treats different boot devices.

Boot Devices Control:

UEFI and Legacy OPROM/Legacy OPROM only/UEFI only

Boot from Network Devices:

Ignore/Legacy only/UEFI driver first

Boot from Storage Devices:

Ignore/Legacy only/UEFI driver first

Boot from PCI-E/PCI Expansion Devices:

Legacy only/UEFI driver first

It’s normally best to leave the Boot Devices Control set for “UEFI Legacy OPROM” as that supports both UEFI and Legacy devices.

BTW, I think it’s a shame Asus decided to remove the “Auto” CSM setting that was available in the BIOS on their older motherboards (like my old Asus ROG Maximus VIII Gene) because it automatically detected what sort of device you were trying to boot from and set the correct boot mode with no “user interaction” required!

1 user thanked author for this post.

Tex265

Reply | Quote

@alejr

Thanks for the detailed reply, however I am still confused on how to turn Secure Boot ON.

You say:

No, you enable/disable secure boot by changing the Secure Boot state option.

I thought/read setting  the Secure Boot >OS Type to “Windows UEFI Mode” was changing the Secure Boot state to ON/ENABLE for Windows?

I don’t recall seeing any separate setting option in the ASUS  bios settings called Secure Boot state to select simply “Enable/Disable” Secure Boot.

Pls advise where to find such a setting in the bios, or are we basically saying the same thing?

 

Windows 10 Pro x64 v22H2 and Windows 7 Pro SP1 x64 (RIP)

Reply | Quote

As I explained earlier, the OS Type setting does not determine whether Secure Boot is actually enabled/disabled, it sets which type of OS will use it (Windows/Other) once it’s actually enabled (in your case, if you intend to use Secure Boot, it must be set for Windows UEFI.)

As for actually enabling Secure Boot, for the BIOS on my particular motherboard the setting is call Secure Boot state with the following two options (Enabled/Disabled – note, the “default” setting is Enabled.)

Since you have a “different” motherboard with a “different” BIOS, it’s not necessarily going to be called exactly the same thing, but there should be a specific Secure Boot setting with Enable/Disable options (unless Asus removed it from the BIOS for your particular motherboard because they decided to set it to always enabled.)

Regardless, you can check whether it’s enabled/disabled by running the following command from powershell as an Administrator.

Confirm-SecureBootUEFI

You’ll see True if Secure Boot is enabled, False if it’s disabled.

If you get a “Cmdlet not supported on this platform” error message, it’ll be because the OS Type is set to “Other OS” instead of “Windows UEFI“.

Reply | Quote

@alejr

Just another Forum Poster wrote:

Regardless, you can check whether it’s enabled/disabled by running the following command from powershell as an Administrator. Confirm-SecureBootUEFI You’ll see True if Secure Boot is enabled, False if it’s disabled.

I show False.

Also System Information >System Summary>Secure  Boot State show OFF

Inside my ASUS bios under Boot>Secure Boot screen it shows:

“Secure Boot state >   Enabled” (Gray lettering/not selectable)

“Platform Key (PK) state > Unloaded” (Gray lettering/not selectable)

“OS Type >  Other OS” ( White lettering in a dropdown box, selectable between “Other OS” and  “Windows UEFI mode” also in White lettering)

Perhaps the “Secure Boot state” lights up after selecting Window UEFI mode? Or the Gray Enabled then also displays a Disabled?

Windows 10 Pro x64 v22H2 and Windows 7 Pro SP1 x64 (RIP)

Reply | Quote

You’re over complicating things.

I can’t answer questions about how the BIOS in your motherboard works because I have a “different” motherboard with a “different” BIOS and, as I already pointed out, the BIOS on “different” motherboards (even from the same manufacturer) will not be the same.

Cutting to the chase…

Secure Boot is a function built into the motherboard, not the OS.

In order for an OS to actually be able to access/use Secure Boot, these two things (located somewhere in the BIOS for a motherboard) need to be set as indicated:

Secure Boot must be enabled.

OS Type must match the OS you’re using.

If either of those is not set correctly, your OS will not be able to access/use Secure Boot!

Reply | Quote

Thanks for trying to help as much as you have. It initially sounded as though your board was similar enough to mine to provide the specific answers.

Just another Forum Poster wrote:

Secure Boot is a function built into the motherboard, not the OS. In order for an OS to actually be able to access/use Secure Boot, these two things (located somewhere in the BIOS for a motherboard) need to be set as indicated: Secure Boot must be enabled. OS Type must match the OS you’re using. If either of those is not set correctly, your OS will not be able to access/use Secure Boot!

I am aware of those requirements. That is why I initially thought the Security Boot> OS Type dropdown box selector could be the answer. But you said:

No, you enable/disable secure boot by changing the Secure Boot state option.

So what is still missing is HOW to actually enable Secure Boot. As noted, the Bios says the Secure Boot state is Enabled, but all Windows checks say it is NOT Enabled. I checked every possible setting in my Bios and there is nothing that references an Enable/Disable Secure Boot switch. Or a way to directly change the Secure Boot state.

Just another Forum Poster wrote:

You’re over complicating things

Not really, still no definitive answer for my motherboard Z370-E.  The search continues.

Windows 10 Pro x64 v22H2 and Windows 7 Pro SP1 x64 (RIP)

Reply | Quote

“Perhaps the “Secure Boot state” lights up after selecting Window UEFI mode?”

That’s how it worked on one of my ASUS motherboards (not your model). UEFI is a prerequisite for Secure Boot.

 

Reply | Quote

In your initial post you stated

Tex265 wrote:

The Motherboard BOOT menu > Secure Boot >OS Type is currently set to “Other OS” which I understand on an ASUS board means Secure Boot is OFF/DISABLED.

Which is wrong because Secure Boot can also be used with other OS’s, like Linux, which is what that setting is for.

Tex265 wrote:

As noted, the Bios says the Secure Boot state is Enabled, but all Windows checks say it is NOT Enabled. I checked every possible setting in my Bios and there is nothing that references an Enable/Disable Secure Boot switch. Or a way to directly change the Secure Boot state.

That “seems” to indicate that the BIOS on your particular motherboard is one where Secure Boot is always enabled.

As for the Windows secure boot check…

Remember, in order for “Windows” to be able to access/use Secure Boot, the OS Type must be set to Windows UEFI.

Think of it like this…

Secure Boot enabled/disabled is like turning your radio on/off.

OS Type Windows UEFI/Other OS is like selecting AM/FM frequencies.

Right now it “appears” your radio is ON, but it’s set to receive FM frequencies (Other OS) while Windows only works with AM frequencies (Windows UEFI)

Reply | Quote

Don’t change the SSD format – yet.

Converting from MBR to UEFI means reinstalling.

See this article.
https://www.diskpart.com/articles/convert-mbr-to-uefi-1984.html

cheers, Paul

1 user thanked author for this post.

windbg

Reply | Quote

Not true anymore, you can use mbr2gpt.exe from the Windows Recovery Environment to do the conversion. I’ve done it several times.

1 user thanked author for this post.

Paul T

Reply | Quote

Many thanks to all the advice and guidance that has been provided to me. I have now managed to prepare my PC for W11 – but will hold off the upgrade a little longer. I have learned a lot more about my PC and Windows than I expected,which i very much appreciate. Thank you all.

Reply | Quote

perhaps hold off the Windows 11 upgrade until the fall/autumn season when Windows 11 version 22H2 (build 22621.x) {the “first” feature update for W11} comes out, David

https://www.techadvisor.com/article/745594/windows-11-22h2-update.html

Reply | Quote

Many thanks, that sounds a good idea.

Reply | Quote