How to Fix “This PC Must Support Secure Boot” Error for Windows 11 Installation

When attempting to install or upgrade to Windows 11, many users encounter a frustrating error message stating, “This PC must support Secure Boot.” This message halts the installation process and leaves users confused about why their seemingly capable hardware fails to meet Microsoft’s requirements. The error is not merely a suggestion—it is a hard requirement enforced by Microsoft’s strict compatibility checklist for Windows 11. Unlike Windows 10, which allowed more flexibility in hardware configurations, Windows 11 mandates specific security and firmware features to enhance system integrity and protect against modern threats.

Secure Boot is a security standard developed by members of the PC industry to help ensure that a device boots using only software that is trusted by the Original Equipment Manufacturer (OEM). When the PC starts, the firmware checks the signature of each piece of boot software, including UEFI firmware drivers (also known as Option ROMs) and the operating system. If the signatures are valid, the PC boots, and the firmware gives control to the operating system. If the signatures are invalid or missing, the firmware halts the boot process.

The “This PC must support Secure Boot” error typically arises not because the hardware lacks Secure Boot capability entirely, but because it is either disabled in the system firmware (UEFI/BIOS) or the system is still operating in legacy BIOS mode instead of UEFI mode. In rare cases, older motherboards may genuinely lack UEFI firmware altogether, making them fundamentally incompatible with Windows 11’s Secure Boot requirement.

This comprehensive guide will walk you through diagnosing the root cause of this error and implementing practical, step-by-step solutions tailored to your specific hardware configuration. Whether you are a casual user or a seasoned technician, the methods outlined here will empower you to resolve this issue efficiently and securely.

What Is Secure Boot and Why Does Windows 11 Require It?

Secure Boot is a feature of the Unified Extensible Firmware Interface (UEFI) specification that ensures only authenticated software runs during the system boot process. It acts as a gatekeeper, verifying the digital signatures of bootloaders, operating system kernels, and other critical firmware components before allowing them to execute. This mechanism prevents malware, such as rootkits, from tampering with the boot sequence and gaining persistent, low-level access to the system.

Microsoft introduced Secure Boot as an optional feature with Windows 8 but made it a mandatory requirement for Windows 11 to elevate the baseline security posture of modern PCs. The rationale is straightforward: if malicious code cannot load before the operating system, it becomes significantly harder for attackers to compromise the system at its most vulnerable stage—the boot process. Secure Boot works in conjunction with other Windows 11 security features like Trusted Platform Module (TPM) 2.0, Virtualization-Based Security (VBS), and Hypervisor-Protected Code Integrity (HVCI) to create a layered defense model.

Without Secure Boot, Windows 11 cannot guarantee the integrity of its boot environment, which undermines the entire security architecture Microsoft has built into the OS. Consequently, the installer actively checks for Secure Boot support and will refuse to proceed if it is not enabled or not available. This is not a bug or a misconfiguration—it is a deliberate design choice to enforce a minimum security standard across all Windows 11 installations.

It is important to note that Secure Boot does not prevent you from installing non-Microsoft operating systems. Linux distributions such as Ubuntu, Fedora, and openSUSE have supported Secure Boot for years by using Microsoft-signed bootloaders or by allowing users to enroll their own keys. However, dual-boot configurations may require additional configuration steps to ensure compatibility.

Checking Your Current Secure Boot Status

Before attempting any fixes, you must first determine whether your PC actually supports Secure Boot and whether it is currently enabled. This diagnostic step is crucial because applying incorrect solutions—such as trying to enable a feature that doesn’t exist—can lead to unnecessary frustration or even system instability.

The easiest way to check your Secure Boot status in Windows 10 (or an existing Windows 11 installation) is through the System Information tool. Press Windows + R, type msinfo32, and press Enter. In the System Summary pane, look for the entry labeled Secure Boot State. If it reads On, Secure Boot is active. If it says Off, it is supported but disabled. If the entry is missing entirely or displays Not Supported, your system likely lacks UEFI firmware or has it disabled in favor of legacy BIOS mode.

Alternatively, you can use PowerShell to verify Secure Boot status. Open PowerShell as an administrator and run the following command:

If the command returns True, Secure Boot is enabled. If it returns False, it is either disabled or not supported. If you receive an error message stating that the cmdlet is not supported, your system is probably running in legacy BIOS mode.

For users who cannot boot into Windows—such as those attempting a clean install from a USB drive—the only reliable method is to enter the UEFI/BIOS setup utility during system startup. This is typically done by pressing a key like F2, F10, Del, or Esc immediately after powering on the computer (the exact key varies by manufacturer). Once inside the firmware interface, navigate to sections labeled Boot, Security, or Authentication to locate Secure Boot settings.

Understanding UEFI vs. Legacy BIOS

A fundamental concept in resolving the Secure Boot error is understanding the difference between UEFI (Unified Extensible Firmware Interface) and legacy BIOS (Basic Input/Output System). Legacy BIOS is an older firmware interface that has been used since the early days of personal computing. It initializes hardware and loads the operating system using a simple, 16-bit process with limited capabilities and no built-in security features.

UEFI, on the other hand, is a modern replacement for BIOS that supports larger hard drives, faster boot times, and—critically—Secure Boot. UEFI firmware operates in 32-bit or 64-bit mode, provides a graphical interface, and includes a pre-boot environment capable of running applications and drivers. Most importantly, UEFI is required for Secure Boot to function.

If your system is configured to use legacy BIOS mode (sometimes called CSM—Compatibility Support Module), Secure Boot will be unavailable, even if your motherboard technically supports UEFI. This is a common scenario on older systems where the firmware defaults to legacy mode for backward compatibility with older operating systems like Windows 7.

To check your current boot mode, you can again use the msinfo32 tool. Look for the BIOS Mode entry. If it says Legacy, your system is using BIOS. If it says UEFI, you are in the correct mode. Switching from legacy to UEFI mode is often necessary to enable Secure Boot, but it requires careful preparation to avoid boot failures.

Step-by-Step: Enabling Secure Boot in UEFI/BIOS

If your system supports UEFI but Secure Boot is disabled, enabling it is usually straightforward. However, the exact steps vary depending on your motherboard manufacturer (e.g., ASUS, Gigabyte, MSI, Dell, HP, Lenovo). The following general procedure applies to most modern systems:

1. Restart your computer and immediately begin pressing the key to enter the UEFI/BIOS setup (commonly F2, Del, or Esc).
2. Once in the firmware interface, look for a tab or menu labeled Boot, Security, or Authentication.
3. Locate the Secure Boot option. It may be listed as Secure Boot Control, Windows UEFI Mode, or similar.
4. Change the setting from Disabled to Enabled.
5. Some systems require you to set a Secure Boot Mode—choose Standard or Windows UEFI Mode (avoid Custom unless you are managing your own keys).
6. Save changes and exit (usually F10).

On some motherboards, particularly from ASUS or Gigabyte, you may need to first enable Fast Boot or ensure that CSM (Compatibility Support Module) is disabled before Secure Boot becomes available. CSM allows UEFI systems to emulate legacy BIOS behavior, but it conflicts with Secure Boot. Disabling CSM is essential for full UEFI functionality.

After enabling Secure Boot, reboot into Windows and verify the change using msinfo32 or the PowerShell command mentioned earlier. If the system fails to boot, you may need to reset the UEFI settings or temporarily re-enable CSM to troubleshoot.

Converting from Legacy BIOS to UEFI Mode

If your system is currently running in legacy BIOS mode, you cannot simply enable Secure Boot—you must first convert the disk partitioning scheme from MBR (Master Boot Record) to GPT (GUID Partition Table), as UEFI requires GPT for booting. Attempting to switch to UEFI mode without converting the disk will result in a “No bootable device” error.

Windows provides a built-in tool called MBR2GPT that can automate this conversion without data loss, provided certain conditions are met. The disk must not have more than three primary partitions, and the system must be running Windows 10 version 1703 or later. Here’s how to use it:

1. Open Command Prompt as an administrator.
2. Run the following command to validate the disk for conversion:

3. If validation passes, run the conversion command:

4. After conversion, restart the computer and enter the UEFI/BIOS setup.
5. Change the boot mode from Legacy or CSM to UEFI.
6. Save and exit.

Important: Always back up your data before performing this conversion. While MBR2GPT is reliable, unexpected power loss or disk errors could lead to data corruption.

For users installing Windows 11 from scratch (not upgrading), the process is simpler: delete all partitions on the target drive during installation, and Windows Setup will automatically create a GPT layout when booted in UEFI mode.

Verifying TPM 2.0 Compatibility

While this article focuses on Secure Boot, it’s worth noting that Windows 11 also requires TPM 2.0 (Trusted Platform Module). Many users fix Secure Boot only to encounter a TPM error next. TPM is a hardware-based security chip that stores cryptographic keys and enables features like BitLocker and Windows Hello.

To check TPM status, press Windows + R, type tpm.msc, and press Enter. The TPM Manufacturer Information section will show the specification version. If it reads 2.0, you’re compliant. If it shows 1.2 or is missing, your system may not meet Windows 11 requirements.

On most modern motherboards (Intel 8th Gen or AMD Ryzen 2000 series and newer), TPM 2.0 is integrated as PTT (Platform Trust Technology) or fTPM (firmware TPM) and can be enabled in UEFI/BIOS under Security or Advanced settings. Older systems may lack TPM 2.0 entirely, making them ineligible for official Windows 11 support.

Common Motherboard-Specific Secure Boot Settings

Different manufacturers implement UEFI interfaces with unique layouts and terminology. Below is a quick reference guide for enabling Secure Boot on popular brands:

Manufacturer	UEFI Access Key	Secure Boot Location	Notes
ASUS	F2 or Del	Boot → Secure Boot → OS Type → Windows UEFI Mode	Disable CSM first under Boot menu
Gigabyte	F2 or Del	Settings → Security → Secure Boot → Enabled	Set Secure Boot Mode to Standard
MSI	Del	Settings → Advanced → Secure Boot → Enabled	May require clearing Secure Boot keys first
Dell	F2	Boot Settings → Secure Boot → Enabled	May need to set Admin Password first
HP	Esc → F10	Security → Secure Boot Configuration → Enable	Disable Legacy Support in Boot Options
Lenovo	F1 or F2	Security → Secure Boot → Enabled	May require updating BIOS to latest version

Always consult your motherboard or laptop manual for precise instructions, as firmware updates can change menu structures.

When Your Hardware Truly Lacks Secure Boot Support

Not all PCs can be upgraded to meet Windows 11 requirements. Systems with Intel 6th Gen (Skylake) or older CPUs, or AMD FX-series processors, often lack UEFI firmware with Secure Boot capability. Similarly, budget motherboards from the early 2010s may only support legacy BIOS.

In such cases, your options are limited:

• Continue using Windows 10 until its end-of-life in 2025.
• Upgrade your motherboard and CPU to a modern platform that supports UEFI, Secure Boot, and TPM 2.0.
• Use a lightweight Linux distribution that doesn’t require Secure Boot, though this sacrifices Windows software compatibility.

Attempting to force Windows 11 onto incompatible hardware is not a sustainable solution and may lead to performance issues, instability, or security vulnerabilities.

The Role of Firmware Updates in Enabling Secure Boot

One often-overlooked solution is updating your system’s UEFI/BIOS firmware. Manufacturers frequently release updates that add or improve Secure Boot support, especially for systems released around the Windows 8/10 transition period. For example, some 2015–2017 laptops shipped with UEFI but had Secure Boot disabled by default or required a firmware update to activate it properly.

To update your BIOS:

1. Identify your exact motherboard or laptop model.
2. Visit the manufacturer’s support website.
3. Download the latest BIOS version and follow their installation instructions carefully.
4. Never interrupt a BIOS update, as this can brick your system.

After updating, re-enter the UEFI setup and check if Secure Boot options are now available or functioning correctly.

Secure Boot and Dual-Boot Configurations

If you run a dual-boot system with Windows and Linux, enabling Secure Boot may prevent Linux from booting unless it uses a signed bootloader. Most major distributions (Ubuntu, Fedora, openSUSE) include shim, a Microsoft-signed bootloader that loads the distribution’s own signed GRUB. However, custom kernels or unsigned drivers may still fail.

To maintain dual-boot functionality with Secure Boot enabled:

• Use a distribution that officially supports Secure Boot.
• Avoid manual GRUB installations; let the installer handle bootloader setup.
• If necessary, enroll your own Machine Owner Key (MOK) using MokManager, but this requires technical expertise.

Disabling Secure Boot for Linux convenience is not recommended, as it compromises Windows security. Instead, configure both operating systems to comply with Secure Boot standards.

Myths and Misconceptions About Secure Boot

Several myths surround Secure Boot that can lead users to make poor decisions:

• “Secure Boot locks you into Windows”: False. Secure Boot supports any OS with a properly signed bootloader.
• “Enabling Secure Boot slows down boot time”: Negligible impact; signature verification adds milliseconds.
• “I can’t install Windows 11 without Secure Boot if I edit the registry”: While possible, it violates Microsoft’s license terms and voids support.
• “All motherboards from 2015 onward support Secure Boot”: Not true—some budget or OEM boards omitted it.

Understanding these facts helps users make informed choices rather than resorting to risky workarounds.

Best Practices for Secure Boot Configuration

Once Secure Boot is enabled, follow these best practices:

• Keep UEFI firmware updated to patch security vulnerabilities.
• Avoid disabling Secure Boot unless absolutely necessary for troubleshooting.
• Use Microsoft-signed drivers to ensure compatibility.
• Monitor boot integrity using Windows Security’s Core Isolation features.

Secure Boot is not a one-time setup—it’s part of an ongoing security strategy.

Conclusion: A Secure Foundation for Windows 11

The “This PC must support Secure Boot” error is not an arbitrary barrier but a critical checkpoint ensuring your system meets modern security standards. By understanding UEFI, verifying your hardware capabilities, and methodically enabling Secure Boot through your firmware interface, you can resolve this issue while maintaining a secure and stable Windows 11 environment.

While workarounds exist, they compromise the very security model Windows 11 is designed to enforce. Instead, embrace Secure Boot as a foundational element of your PC’s defense against evolving cyber threats. With the steps outlined in this guide, you now have the knowledge and tools to confidently address this error and enjoy a fully compliant, secure Windows 11 experience.