Secure boot

meaks89 · Saturday at 21:17

Hi,

Trying to update windows 10 to 11 and PC health checker says PC must support secure boost.

Asus b450 f gaming Rogers strix motherboard.

I have gone into bios, turned csm off. Restart - straight back to bios, I have selected uefi boot device control only. And takes me back to bios after restart.

Not clued up on any of this but any simple guidance anyone can give would be appreciated, thanks

RavenLunatic · Saturday at 21:34

My understanding is Windows 11 requires the motherboard to support Secure Boot feature but you don't have to enable it to install.

If you do turn on Secure Boot be aware Windows will automatically start encrypting your disks with BitLocker. This can be turned off in settings if/when you boot into Windows.

Tetras · Saturday at 21:56

meaks89 said:
I have gone into bios, turned csm off. Restart - straight back to bios, I have selected uefi boot device control only. And takes me back to bios after restart.

What is the problem exactly? That once CSM is off you can't boot into Windows? If so, you probably don't have your boot drive formatted using GPT. Drives formatted to MBR are not bootable with secure boot enabled and CSM off.

meaks89 · Saturday at 22:02

Im Just trying to update from windows 10 to 11. I'm at a loss to how to do this

hornetstinger · Saturday at 22:04

Do fresh install or windows 11 use debloated and restricted image that doesn't require tpm or secure boot

Tetras · Saturday at 22:25

meaks89 said:
I'm at a loss to how to do this

Can you explain where you're getting stuck in this process?

I don't understand from your post what the problem you're having is.

Going straight back to BIOS, is sometimes not even a problem, as such, you just have to select the boot device again.

But, I don't know if you're telling us that going into the BIOS is the problem you're having here, or not?

If it is (with CSM disabled) returning to the BIOS and skipping your boot drive, then the most likely reason is the drive being formatted to MBR. You will need to check that once in Windows.

meaks89 · Saturday at 22:27

How do I check once in windows as I think thats probably the issue.

In bios the secure boot says enabled but its greyed out.

Orcvader · Saturday at 22:47

Which BIOS version are you on? 4502 onwards turns on the settings required for W11: https://rog.asus.com/uk/motherboards/rog-strix/rog-strix-b450-f-gaming-model/helpdesk_bios/

meaks89 · Saturday at 22:50

Tetras · Saturday at 23:02

meaks89 said:
How do I check once in windows as I think thats probably the issue.

You can use disk management in Windows (part of Windows, not an app). Easier if you google it, but you need to find "Disk 0" near the bottom, right click and select properties and then under volume tab it should say partition style.

Or: diskpart (open command prompt as admin, type > diskpart > type list disk, if they don't have GPT * then they're MBR.

RavenLunatic · 2026-02-22T02:23:49+0000

meaks89 said:
How do I check once in windows as I think thats probably the issue.

In bios the secure boot says enabled but its greyed out.

Is there a button on the Secure Boot menu page in the BIOS that says something like Load Default Keys?

From AI "If Windows was installed in Legacy (BIOS) mode, the firmware has nothing to boot after you turn CSM off, so it simply returns to the setup screen every time." That could be a problem, you will need to lookup how to convert Windows to UEFI. But you need to fix the Secure Boot first.

andshrew · 2026-02-22T09:58:56+0000

RavenLunatic said:
If you do turn on Secure Boot be aware Windows will automatically start encrypting your disks with BitLocker. This can be turned off in settings if/when you boot into Windows.

Secure Boot is about only allowing the system to boot into OS's which have had their bootloaders signed, it's got nothing to do with BitLocker.

BitLocker needs the TPM to be enabled. Personally I've not heard of it automatically encrypting an existing system if you enable the TPM after the OS was installed. It might automatically encrypt a brand new installation if you sign in to a Microsoft Account as part of the setup process. It certainly never automatically encrypts if you're not using a Microsoft Account.

RavenLunatic · 2026-02-22T11:15:59+0000

andshrew said:
Secure Boot is about only allowing the system to boot into OS's which have had their bootloaders signed, it's got nothing to do with BitLocker.

BitLocker needs the TPM to be enabled. Personally I've not heard of it automatically encrypting an existing system if you enable the TPM after the OS was installed. It might automatically encrypt a brand new installation if you sign in to a Microsoft Account as part of the setup process. It certainly never automatically encrypts if you're not using a Microsoft Account.

I did this last week on one of my PC's, disabling CSM and enabled Secure Boot. It then unknown to me turned on BitLocker encrypting my Windows OS partition and a connected SSD storage Partition. I only found out when I booted my Ubuntu OS and the Windows Partitions where marked encrypted. Booting into Windows confirmed it. I wasn't expecting that as you say Secure Boot and Bitlocker are meant to be different things, but it happened.

Twinz · 2026-02-22T12:22:31+0000

If your W10 OS was installed on a drive formatted for MBR, turning off CSM wil switch the BIOS over to UEFI-only and make that drive "dissappear" as a boot option.
*edit* I see this was already posted...

meaks89 · 2026-02-22T12:55:05+0000

Im at a loss, not really sure what im doing, think ill just get it on a usb and install it

gpuerrilla · 2026-02-22T13:00:45+0000

I did this a while back and did it online (the live method). There should be guides covering this but this is something you can base it on. If you have stuff backed up or are not bothered then its an option over starting fresh.