Understanding Secure Boot
Secure Boot is a UEFI firmware feature designed to prevent unverified or unsigned boot-level software, such as rootkits and cheat loaders, from running before Windows starts. This ensures that startup-level malware cannot bypass detection. Akros requires Secure Boot for all Windows 10 and 11 users.
If Secure Boot is disabled, the client will display an error until it is enabled in your BIOS/UEFI.
⚠️ Modifying BIOS/UEFI settings can result in boot issues if done incorrectly. Always back up your system drive before making changes or converting partitions.
1) Verify Current Settings
- Press the Windows key, type msinfo32, and press Enter.
-
Confirm the following:
- BIOS Mode should read UEFI
- Secure Boot State should be On
- If BIOS Mode shows Legacy or Secure Boot State shows Off, Disabled, or Unsupported, continue with the steps below.
2) Preparation Before Making Changes
- Back up your system drive completely.
- Open Disk Management → right-click your OS drive → Properties → Volumes.
- If the Partition Style is MBR, it must be converted to GPT before Secure Boot will work.
- Ensure you can access the BIOS/UEFI on your motherboard or OEM system.
- Update your BIOS/UEFI to the latest version provided by the manufacturer.
3) Converting MBR to GPT
Use Microsoft’s MBR2GPT.EXE tool from an elevated Command Prompt.
-
Validate your disk first:
mbr2gpt /validate /disk:0
-
Convert the disk (running in WinPE is recommended):
mbr2gpt /convert /disk:0
-
If running from full Windows, add the flag:
/allowFullOS
- Make sure you are converting the correct disk.
- If validation fails, do not continue. Fix the layout or back up and reinstall.
- Once converted, Windows will support UEFI boot mode.
4) Configuring BIOS/UEFI
- Enter the BIOS/UEFI (common keys: DEL, F2, F10, F12, Esc depending on the motherboard).
-
In BIOS:
- Set Boot Mode to UEFI
- Disable Legacy, Legacy+UEFI, or CSM (Secure Boot may remain hidden until CSM is off)
-
Navigate to Security, Boot, or Authentication menus:
- Set Secure Boot Mode to Standard, Windows UEFI Mode, or similar
- Enable Secure Boot
- Save and reboot.
-
Check msinfo32 in Windows:
- BIOS Mode should now be UEFI
- Secure Boot State should be On
5) Notes by Vendor
-
ASUS:
- Secure Boot located under Boot → Secure Boot
- Set OS Type to Windows UEFI Mode
- Disable CSM
-
Gigabyte:
- Disable CSM first to reveal Secure Boot menu
- Set Secure Boot Mode to Standard and enable Secure Boot
-
MSI:
- Disable CSM/Legacy settings
- If prompted for key enrollment, select Install Factory Defaults or Load Default Keys
-
Dell / HP / Lenovo (OEM systems):
- Secure Boot is usually under Security or Boot
- Enable Secure Boot and ensure boot mode is set to UEFI only
- Some systems require Restore Factory Keys before activation
6) Troubleshooting
-
Secure Boot enabled but msinfo32 shows Off:
- Windows is still booting in Legacy/CSM mode
- Disk may still be MBR or UEFI boot entries are missing
- Use MBR2GPT to convert disk and disable CSM
-
Secure Boot shows “Unsupported”:
- Firmware