Microsoft has become choosy about its hardware requirements for Windows 11. Even if you have the correct processor and suitable level of TPM, a simple misconfiguration may still halt the process. ‘Your PC must support Secure Boot’ is an error message which can be the final stumbling block towards a successful upgrade.
Between ourselves, I’ve not seen a machine in years which didn’t support Secure Boot. Microsoft’s This PC must support Secure Boot message is quite misleading. What it should say is, Secure Boot is turned off.
If this show-stopping message is preventing your upgrade, then we’ve got some steps on how to make your boot as secure as they come.
Does my PC support Secure Boot?
According to Intel:
“Secure Boot helps a computer resist attacks and infection from malware. Secure Boot detects tampering with boot loaders, key operating system files, and unauthorised option ROMs by validating their digital signatures. Detections are blocked from running before they can attack or infect the system.”
Most modern machines run with Secure Boot pre-enabled, but there’s plenty out there that don’t. Any users trying to install Windows 11, or upgrade Windows 10, will hit problems if Secure Boot isn’t enabled.
How do I enable Secure Boot?
We control secure Boot in the BIOS environment of the machine, so you’ll need to hit the magic key combination during startup. What’s that? You don’t know the magic key combination? Fear not – follow our ‘How to access the BIOS on my PC’ then come back here once you’re a BIOS-legend.
For secure boot to work, a PC needs to be configured for UEFI boot mode and the simplest way to work this out is to have a look at the partitions of the hard drive.
To open Windows’ Disk Management tool, right click on the Windows’ Start button, then left click on Disk Management. The window will open, listing the drives inside your machine, but we’re only interested in the boot drive (look for the C: label on one of the partitions). In our example, we only have a single drive, which is disk 0. Take a note of your disk number, as we may need it later.
Right click on the disk label, and from the menu select properties.
A new window will launch, select the third tab, Volumes, then glance down the information window at Partition Style.
If your partition is listed as GPT, then congratulations, you have a UEFI booting machine, so you’re straight through to the next round. Skip down to this page to Now can I enable Secure Boot?, to which the answer is yes.
What is an MBR partition?
Honestly, we don’t need to explain the finer details, but let’s explain why it relates to enabling Secure Boot to install Windows 11.
Your partition is listed as MBR, so your machine requires extra steps before it will support Secure Boot. As I mentioned above, Secure Boot requires a machine to be configured to boot in UEFI mode and, for UEFI mode to work, requires a disk to be GPT partitioned. The MBR partition on your PC means your machine boots in CSM mode, also known as, Legacy mode. There’s nothing intrinsically wrong with this, but Secure Boot doesn’ work with CSM mode. The great news is that we can sort this out.
How to convert partitions from MBR to GPT
Certain tasks in computing are akin to whipping the cloth from the table, attempting to leave the vase full of roses. Partition conversion is one of these tasks. Despite the finest advice money can buy (which you’re getting for free – but you can buy us a Ko-Fi if you like 😉), it’s easy to snatch the gingham, smash the vase and receive a thorn between the eyes. What I’m trying to say is, do a full backup before you begin this process. Go on, I’ll wait!
To begin, type CMD into the Windows’ search box, then click the ‘Run as administrator’ option. Click yes on the confirmation window and type the following command into the box:
mbr2gpt.exe /disk:0 /validate /allowFullOS
Remember, I told you to make a note of the disk number? Ensure that you modify the command to reflect yours. In our example, our single drive is disk: 0. This command will run the Microsoft utility mbr2gpt.exe, which, as its name suggests, will convert MBR to GPT. The /validate command tells the utility to do a trial run. The last switch, /allowFullOS, runs the command when Windows is running. Press enter and after a few checks, you should see, Validation completed successfully.
To run the command for real, change /validate to /convert:
mbr2gpt.exe /disk:0 /convert /allowFullOS
This takes a little while to run, but eventually a Conversion completed successfully message will appear long with a very important notice: Before the new system can boot properly you need to switch the firmware to boot to UEFI mode.
Technically, and actually, we’ve just broken your machine and if you restart it now, there’s a good chance it won’t boot.
Enabling UEFI boot
Shut down the machine and prepare your best pointy figure to mash whichever key will let you into the BIOS, unless you have a Lenovo in which case you’ll need a stick to wiggle in NOVO hole. Power it up and, by whatever means necessary, get into the BIOS. If you miss, power off the machine and try again.
All BIOS vary, so I can’t give you any definite guidance on where to go. If you look at the image above, this Gigabyte motherboard has the setting we need in the Boot menu. Remember, we’re trying to turn on UEFI boot, but in this example, UEFI isn’t offered as a menu option. The correct selection is to set CSM Support to disabled. The logic in this example is that if CSM is off, then UEFI is on. Many boards allow CSM and UEFI to co-exist, in which case, re-booting won’t be a problem but disabling CSM will force the change.
Once everything is changed, save and exit the BIOS (pressing F10 normally triggers this) and let the machine restart. Try not to pull a muscle as you jump for joy as your Windows’ desktop appears. To confirm that we’re safe to proceed, re-open Disk Management by right-clicking on the start button, then left-clicking on Disk Management.
If all has gone to plan, the drive now has more partitions and if you right-click on the disk label again and select Properties, then Volumes (third tab along), you should notice that the Partition Style has switched to GPT.
Finally, we can now enable Secure boot to install Windows 11.
Now can I enable Secure Boot?
Oh yes! Power off the machine and use the appropriate method to enter the BIOS.
There is little standardisation in BIOS configurations, so tracking down Secure Boot will take a little effort. In our example above, the HP BIOS places it under the Advanced options and ties it together with Legacy Boot mode. On this machine, we selected the only option which enabled Secure Boot, then saved the BIOS (using F10) and restarted the machine.
Other BIOS setups may have the option in a different place, so have a good look around, but it’s often located amongst Boot or Advanced options.
Make the BIOS changes, restart the machine and your PC will now support Secure Boot
Secure Boot is enabled, Can I install Windows 11?
Providing you hit the rest of 11’s hardware requirements, a successful installation should now be a formality. If you’ve made it this far (and I’m including our editor here, too), then congratulations. We hope you’ll enjoy Windows 11.