Secure Boot support on a custom-made PC with Windows 10 Pro

Question

As part of my Windows 11 upgrade activities, MS says my PC does not support Secure Boot. Something also confirmed by msinfo32.exe: msinfo32 snapshot

Strangely enough, when I entered BIOS it states Secure Boot state: “Enabled”: BIOS Secure Boot Menu snapshot

I thus assumed other BIOS settings are also required to be set.

I then tried several combinations values of both this Secure Boot menu (by changing OS Type: “Other OS” to “Windows UEFI mode”) and in CSM menu: BIOS CSM Menu snapshot

But my Windows stopped booting whenever I changed CSM\Launch CSM to either “Disabled” (no matter the Secure Boot\OS Type value) or “Auto” when Secure Boot\OS Type = “Windows UEFI mode”. All other combinations didn’t seem to make any difference for Secure Boot purposes.


I didn’t mess around with Secure Boot\Key Management (should I?...): BIOS Secure Boot Key Management snapshot


Digging further, I found a SuperUser posting stating:

If OS was installed under CSM, it thinks this machine is not UEFI compatible and installs in legacy mode. If you switch to UEFI it won't boot because this is not UEFI loader expects to see. If system was installed under UEFI, it detects that and configures BIOS so it wouldn't boot if you switch to CSM afterwards, because this is not legacy BIOS loader expects to see. It is possible to configure a system to boot either way, but it's not very easy and I don't know how to do this in Windows.

As I have a custom-made machine, in which I installed Windows 10 with mostly BIOS defaults, I now suspect that my Windows was installed under CSM.


So, is there an easy way (say, by tweaking BIOS) to support Secure Boot, without requiring Windows 10 reinstallation?

EDIT:

---

Windows 10 Pro, 64-bit (21H1)
M/B Asus Prime Z370-P
RAM: 16GB
Intel i7 8700
GPU on board (Intel 630)
Broadcom 802.11ac PCIe
Sound Blaster X-Fi Xtreme Audio PCIe

Answer 1

CSM Mode should never be enabled for an OS, as its sole purpose was to support distros that didn't yet support EFI boot circa <2017 (Windows ≥7 supports EFI boot); CSM Mode emulates BIOS' 16bit architecture within a 32bit environment and doing so will cause performance degradation (boot times increase by 400%+, GPT can't be used, etc.)

• The only reason to enable CSM Mode is when needing to access a legacy OP[tion] ROM, and once done in the OP ROM, CSM Mode should be re-disabled
  
  

To resolve:

1. Windows 10 installation media → install on another PC → Save ISO
2. Create bootable USB with Rufus → Reboot → Disable CSM Mode in the UEFI firmware
3. Boot Windows install USB → When GUI loads, open terminal via Shift+F10
4. Use mbr2gpt to convert partition table to GPT:
   1. Ascertain OS disk #: DiskPart → lis disk → exit

   2. mbr2gpt /convert /disk:#
      

      
      
5. Create required UEFI-boot partitions on the OS HDD via DiskPart:
   1. DiskPart → lis disk → sel dis # → Verify it's the OS disk: lis par
   2. Delete old boot partition: sel par # → Verify: det par → del par override
   3. Determine disk layout: lis par (optimal partition layout: WinRE, EFI, MSR, OS)
   4. Add requisite UEFI partitions:
      1. WinRE:
         Select OS partition: sel par 1 → Verify it's the OS partition: det par

         Shrink Desired=665 minimum=650
         Cre Par Pri Size=665 Id=de94bba4-06d1-4d40-a16a-bfd50179d6ac
         Format Quick Fs=NTFS Label=WinRE
         Gpt Attributes=0x8000000000000001
         

      2. EFI and MSR:
         Select OS partition: sel par 2 → Verify it's the OS partition: det par

         Shrink Desired=388 Minimum=388
         Cre Par EFI Size=100
         Format Quick Fs=FAT32 Label=EFI
         Assign Letter=Y
         Cre Par Msr Size=16
         

   5. Get OS partition drive letter: lis vol → exit
      ^{(C: is usually not the OS drive letter in WinPE/WinRE)}
      
      
6. Configure EFI boot:

   ::# Create EFI directories and enter:
       MkDir "Y:\EFI\Microsoft\Boot"
       Cd /d "Y:\EFI\Microsoft\Boot"
   
   ::# Create EFI boot structure:
       BootRec /Fixboot
   
       ::# If Access Denied error occurs (C: is OS partition):
           BcdBoot C:\Windows /s C: /f UEFI
   
   ::# Resolve any other boot issues:
       BootRec /FixMBR && BootRec /RebuildBCD
   

   Remove EFI mountpoint: DiskPart → Sel Vol Y → Remove → Exit
   
   
7. Reboot via wpeutil reboot, then configure WinRE once booted back to Windows:
   1. Open an Admin Terminal: +R → Open: powershell → CTRL+SHIFT+OK
   2. Mount WinRE partition via DiskPart:
      lis vol → sel vol # → Verify: det par → Assign Letter=Z → Exit
   3. Extract WinRE.wim from the Windows install USB's sources\install.wim||.esd:

      # Get list of images [indexes] within the ESD/WIM:
        Dism /Get-ImageInfo /ImageFile:"E:\sources\install.wim"
      
      # Mount install.wim||.esd (usually index 1: Home | 6: Pro):
        MkDir "C:\Mount" ; Dism /Mount-Image /ImageFile:"E:\sources\install.wim" /Index:1 /MountDir:"C:\Mount" /ReadOnly
      
      # Copy WinRE.wim:
        Xcopy "C:\Mount\Windows\System32\Recovery\WindowsRE\WinRE.wim" "C:"
        # If hidden file: Xcopy /H
      
      # Unmount image, discard changes:
        Dism /Unmount-Image /MountDir:"C:\Mount" /Discard
      

   4. # Copy WinRE.wim:
        MkDir "Z:\Recovery\WindowsRE" ; Xcopy "C:\WinRE.wim" "Z:\Recovery\WindowsRE"
      
      # Disable WinRE:
        ReAgentC /Disable
      
      # Set Custom WinRE Path:
        ReAgentC /SetREimage /Path "Z:\Recovery\WindowsRE"
      
      # Enable WinRE and verify:
        ReAgentC /Enable ; ReAgentC /Info
      
      # Cleanup:
        Del "C:\WinRE.wim" ; RmDir "C:\Mount"
      

   5. Remove WinRE mount point: DiskPart → sel vol z → remove → exit