pc must support secure boot

That message usually means Windows (or the PC Health Check / compatibility tool) isn’t just looking for “Secure Boot: Enabled” in firmware, but for full UEFI + Secure Boot capability with the right configuration, and sometimes the right boot mode on the drive.

What “PC must support Secure Boot” really means

• The system must be running in UEFI mode, not Legacy/CSM, and the firmware has to support Secure Boot even if it isn’t enabled yet.
• For Windows 11 specifically, Microsoft requires UEFI firmware, Secure Boot capability, and TPM 2.0 for official support.
• Tools like PC Health Check can still complain if:
  • The disk is installed in MBR format instead of GPT.
  • The machine is booting in Legacy/CSM mode even though Secure Boot is “Enabled” in the menu.
  • The motherboard only supports “Secure Boot” in name but does not fully meet Windows’ expectations.

Why your UEFI says “Secure Boot: Enabled” but Windows disagrees

Common reasons this mismatch happens:

• Boot mode conflict
  • UEFI is set to allow Legacy/CSM boot as well as UEFI.
  • If Windows was installed while CSM/Legacy was enabled, it may be using an MBR boot setup that is technically incompatible with Secure Boot, even if the firmware toggle says “Enabled”.

• Drive partition style (MBR vs GPT)
  • Secure Boot expects a UEFI + GPT installation.
  • If your system disk is MBR, the OS still boots, but Secure Boot cannot fully protect or validate the boot chain, and compatibility tools will often report that the PC “must support Secure Boot” even when the toggle is on.

• Firmware implementation quirks
  • Some older boards have a Secure Boot option that does not behave exactly like modern Windows expects, so detection scripts return “not supported”.
  • In device‑management/compliance tools, this often shows up as “Cmdlet not supported on this platform” or similar when scripts query Secure Boot state.

How to check if your PC truly supports Secure Boot

On Windows 10/11 you can do several checks:

1. Use the built‑in System Information tool
   • Press Win+R → type msinfo32 → Enter.
   • Look at:
     • BIOS Mode: should say UEFI , not Legacy.
     • Secure Boot State:
       • On → Secure Boot is active.
       • Off → supported but disabled.
       • Not Supported → firmware doesn’t truly support Secure Boot (or Windows cannot detect it correctly).

2. Check disk partition style
   • Right‑click Start → Disk Management → right‑click your OS disk → Properties → Volumes.
   • Partition style should be GUID Partition Table (GPT) for a proper UEFI + Secure Boot installation.
   • If it shows MBR , your current installation is not in the ideal Secure Boot configuration.

3. Check firmware (UEFI) settings carefully
   • Reboot and enter firmware setup (often Del, F2, F10, or Esc).
   • Confirm:
     • Boot mode is UEFI only (disable CSM / Legacy if possible).
     • Secure Boot is Enabled, usually in a “Standard” or “Windows” mode rather than “Custom”.

Fixing “This PC must support Secure Boot”

If tools still complain even though Secure Boot is enabled in firmware, the usual path is:

1. Ensure UEFI‑only boot
   • In firmware, set boot mode to UEFI only.
   • Disable CSM/Legacy support if you see that option.

2. Convert the system disk from MBR to GPT (if needed)
   • If your OS disk is MBR and your firmware supports UEFI, Microsoft’s mbr2gpt tool can convert it in‑place on Windows 10/11 in many cases (with backup recommended).
   • After conversion, ensure that the boot entries in firmware point to the UEFI Windows Boot Manager.

3. Re‑enable Secure Boot after any changes
   • Sometimes you must:
     • Set Secure Boot to Disabled , save and reboot.
     • Then set it to Enabled again (Standard/Windows mode) and reboot.
   • This refreshes the platform keys and can clear odd detection issues.

4. As a last resort: clean UEFI/GPT reinstall
   • If the system was originally installed in Legacy mode, the most straightforward way to guarantee Secure Boot compatibility is:
     • Back up data.
     • Set firmware to UEFI only.
     • Boot Windows install media in UEFI mode.
     • Delete old partitions on the system drive and let the installer create new GPT partitions.

Why Secure Boot is worth having

Even though some power users dislike being “forced” into Secure Boot, it does add real protections:

• Blocks unsigned or tampered bootloaders and early‑boot malware , including many rootkits and bootkits that try to hide below the OS.

• Helps maintain firmware and OS integrity , making it much harder for attackers to compromise the system at the earliest stages where detection is almost impossible.

• Particularly valuable on devices that handle sensitive or business‑critical data , which is why enterprises and compliance tools often insist that “Secure Boot must be supported and enabled” for a device to be considered compliant.

If your PC truly does not support Secure Boot

If msinfo32 reports Secure Boot State: Not Supported and BIOS Mode: Legacy with no UEFI option in firmware:

• The hardware is too old for Secure Boot, and:
  • Windows 11 may not be officially supported.
  • Some compliance or security baselines will always mark the device as non‑compliant.

• In that case the only way to meet the “PC must support Secure Boot” requirement is newer hardware with proper UEFI + Secure Boot.

TL;DR : The message “PC must support Secure Boot” usually means your system needs true UEFI boot with a GPT disk and a fully supported Secure Boot implementation, not just a firmware toggle that says “Enabled.” Checking msinfo32, disk partition style, and UEFI settings will tell you whether a configuration change—or a hardware upgrade—is required.

Information gathered from public forums or data available on the internet and portrayed here.