Windows 11: Solution to “This PC Must Support Secure Boot”

Windows 11 is here! Well, as of this blog being published it is available in the Windows 10 Insider Preview Development Ring. I decided to download it onto a lab system to start checking it out and ran into a stop notification not long after I started the process. The Windows 11 Setup check displayed a notice, “This PC Must Support Secure Boot.” This blog documents a workaround for the issue I had on my system (you may have a different system with a different issue/solution).

To be clear, this is the noticed displayed by Windows 11 Setup:

Caution: I do NOT recommend installing the Windows 11 Developer version on your production/primary system. Wait for a later, more stable release to be published.

So how do we setup the laptop I am using (and yours) to use Secure Boot? Let’s start with my current configuration that is on a five year old laptop.

My System Details:

• Lab Laptop: Lenovo Carbon X1 1st Generation
• Windows Specifications:
  • Edition: Windows 10 Pro
  • Version: 21H1
  • OS Build: 19043.928
• Device Specifications:
  • Processor: Intel® Core™ i7-3667U CPU @ 2.00GHz 2.50 SHz
  • RAM: 8.00 GB
  • System Type: 64-bit Operating System
• Legacy BIOS is enabled, not Secure Boot

The key detail above is that the Secure Boot is Disabled. In a review of the Windows 11 Hardware Requirements, there are number of security requirements listed – including the use of UEFI and Secure Boot capable (Not Legacy BIOS). In my case, the system is capable of this but the feature is not enabled.

Caution: Use Both Solution Part One and Two Below

While most systems in use today meet the hardware requirements to upgrade to Windows 11 without issue, in this case you may be thinking you just need to modify your BIOS settings to enable the Secure Boot capability.  If you simply modify your system BIOS to use Secure Boot, you will likely lose access to your boot instructions on the next restart. I initially lost access on my lab system.

The Solution: Part One

There are several tools available that will allow you to quickly (and safely) modify your system to no longer use the Master Boot Record  (MBR) and instead to use the GUID Partition Table (GPT). Legacy BIOS to UEFI. The MBR2GPT.exe tool from Microsoft will automate the repartition of the hard disk for UEFI directly from the Windows 10 Operating System. This will be done without modifying or deleting any data that currently exists (this is the safe way of doing this). 

The MBR2GPT tool is located in the Windows\System32 directory on a computer running Windows 10 version 1703 or later. BitLocker conversion is supported as long as BitLocker is suspended during the process. For more information or requirements about the MBR2GPT tool, see this link. Below are step by step instructions I used to convert my lab laptop from using MBR to GUID.

1. Verify the MBR2GPT file exists on your current system:
   1. Open File Explorer and navigate to Windows\System32
   2. Located MBR2GPT.exe
2. Open a Command Prompt on the system using the Administrator Mode

3. Navigate to the Windows\System32 folder if not already there
4. Let’s first use the tool in a non-edit mode that will validate the partition can be converted by using the command: MBR2GPT.exe /validate /AllowFullOS

5. Launch the tool with the following switches: MBR2GPT.exe /convert /disk:0 /AllowFullOS

“Before the new system can boot properly you need to switch firmware to boot to UEFI mode!” This is where we move on to part two below to enable UEFI Secure Boot. This must be done at the next restart by entering the Legacy BIOS where you will enable the UEFI Secure Boot mode.

• After a few minutes, the conversion will complete. Notice the last line of the command results:

The Solution: Part Two

Now that the conversion to the GUID is complete, we can setup the system to use UEFI Secure Boot. As stated above, this must be done on the next reboot by entering into the Legacy BIOS.

1. Enter the BIOS are of your system by using F1 (On a Lenovo). Other systems can be accessed using the list below:
   1. Dell: F2 or F12
   2. HP: ESC or F10
   3. Acer: F2 or Delete
   4. Asus: F2 or Delete
   5. MSI: Delete
   6. Toshiba: F2
   7. Samsung: F2
   8. Surface: Press and hold volume up button
2. Locate the Secure Boot option on your system. This is a Lenovo screen below, but this will vary by system)

3. Under Secure Boot, modify the option to be Enabled

4. With this change made, exit the system using the Save Changes option. The system will now reboot successfully into Windows 10. During the beginning boot screen, you may even notice the manufacturer splash screen has been updated (it changed on my Lenovo system).
5. The Windows 11 Upgrade will now work on your system, assuming it meets the other hardware requirements. Note that a PC Health Check App is being developed to see if systems meet the requirements to run Windows 11.

As of July 2, 2021: Upgrade to the New Windows 11 OS | Microsoft