Secure boot problem

Hi Rick — this is a classic symptom: Windows is installed in Legacy/CSM (MBR) mode, so when you disable CSM and turn on Secure Boot (UEFI-only) the firmware no longer finds a UEFI bootloader and drops you to BIOS. Your GPU probably isn’t the problem since removing it didn’t change behavior.
Before anything: make a full backup (or at least copy important files) and suspend BitLocker if it’s enabled. Converting or reinstalling can go wrong and you should have a backup.
Suggested plan (safe, step-by-step)
1) Confirm how Windows is currently booting

• In Windows, open System Information (type msinfo32 and press Enter).
  • Look at “BIOS Mode”: it will say “Legacy” (or “BIOS”) or “UEFI”.
• Check disk partition style:
  • Open an elevated PowerShell and run: Get-Disk
  • Look at the “PartitionStyle” column — it will say Mbr or Gpt.

If BIOS Mode = Legacy and PartitionStyle = MBR, that explains the failure when you disable CSM / enable Secure Boot.
2) If Windows is Legacy/MBR: convert to UEFI/GPT (recommended, non-destructive)

• Preconditions:
  • Make sure you have a backup.
  • If BitLocker is on, suspend protection (Control Panel > BitLocker Drive Encryption > Suspend protection).
  • Close apps and be on AC power.
• From an elevated Command Prompt run validation first (assumes the OS disk is Disk 0 — change the number if it’s different):
  • mbr2gpt /validate /disk:0 /allowFullOS
  • If validation is successful, convert:
  • mbr2gpt /convert /disk:0 /allowFullOS
• What mbr2gpt does: it creates an EFI System Partition and converts the disk metadata to GPT, then registers the Windows Boot Manager for UEFI booting.
• If convert succeeds, reboot into firmware setup, set Boot Mode = UEFI (disable CSM), enable Secure Boot, save and exit. Windows should then boot via the Windows Boot Manager.

3) If mbr2gpt validation fails or you get errors

• Common reasons: unusual partition layout, encrypted disk not suspended, not enough space to create an EFI partition, or multiple OSes. Report the error text and I’ll help interpret it.
• Alternative: create a UEFI EFI System Partition and recreate the boot files manually:
  • Use diskpart to identify/assign an unused letter to a FAT32 EFI partition (100–512 MB), then run:
  • bcdboot C:\Windows /s S: /f UEFI
  • I can give exact diskpart steps if you want to try this path.

4) If you prefer a clean install

• Boot Windows installer in UEFI mode (use the motherboard’s UEFI boot entry for the USB), delete/format partitions as desired, install Windows — this will create GPT/ESP automatically. This is simplest if you don’t care about reinstalling apps.

5) BIOS/firmware and Secure Boot keys

• If you converted to UEFI and still won’t boot with Secure Boot on, check firmware:
  • Update the motherboard BIOS to the latest from the vendor if updates exist (this board is a jginyue H310M-GD4 — ensure you download correct firmware).
  • In Secure Boot settings use the “Standard” or “Windows” keys (not a custom keyset) while testing.
  • Confirm that you have a “Windows Boot Manager” UEFI boot entry in the firmware.

If you want, tell me:

• What msinfo32 says for “BIOS Mode”
• Output of Get-Disk (paste it here)
• Whether BitLocker is enabled
  I’ll walk you through the exact commands and BIOS settings step-by-step.

You can check if your Windows drive is formatted as GPT, not MBR, Secure Boot only works with GPT partitions. Also, make sure “Windows UEFI mode” is selected under Secure Boot options in BIOS, not “Other OS.” If you recently installed Windows in legacy mode, you can convert the drive to GPT using the built-in MBR2GPT tool without reinstalling.
Finally, update your BIOS to the latest version from jginyue’s site; some earlier revisions had Secure Boot bugs. Once done, enable CSM off, Secure Boot on, and try booting again, it should work smoothly.

Good checklist from datawizard0103 — mostly correct — but a few important clarifications and a safe, step‑by‑step plan you can follow (with exact commands). Don’t skip the backup and BitLocker notes — those are the two things most folks miss.
Summary (what you want to achieve)

• Confirm the disk is GPT and Windows is booting in UEFI mode.
• If it’s MBR/Legacy, convert the system disk to GPT with Microsoft’s MBR2GPT tool (no reinstall required, in most cases).
• In firmware (BIOS/UEFI): disable CSM/Legacy, enable UEFI/“Windows UEFI Mode”, enable Secure Boot and (if needed) restore factory keys.
• Update firmware only from your PC/motherboard vendor (not random third‑party sites).

Before you begin — critical safety steps
1) Full backup: make a full image or at least copy important files off the machine. Conversion rarely fails, but you must be prepared.
2) BitLocker: If BitLocker is enabled, suspend it before conversion:

• Run (Admin PowerShell): manage-bde -status to check.
• If enabled: manage-bde -protectors -disable C: (or use the BitLocker control panel).
  Re‑enable after everything is working.
  3) Note RAID/Intel RST: If your system uses RAID/Intel RST, converting/boot-mode changes can be more complicated. Tell me if you use RAID/IRST.

Checks to run now (paste results if you want me to interpret them)
A — Check partition style (two ways)

• Disk Management GUI:
  • Win+R → diskmgmt.msc → right‑click the Windows disk → Properties → Volumes tab → Partition style: MBR or GPT.
• DiskPart (Admin cmd):
  
  Code:

  diskpart
  list disk

  In the list, check the “Gpt” column — an asterisk (*) means GPT.

B — Check current boot mode and Secure Boot state

• Run msinfo32 (Win+R → msinfo32) and note:
  • BIOS Mode: UEFI or Legacy
  • Secure Boot State: On / Off / Unsupported

If both show UEFI and GPT, you’re already good and can enable Secure Boot in firmware (or restore factory keys if Secure Boot state is Off/Setup).
If you have Legacy/MBR (you need conversion), proceed below.
Convert MBR → GPT safely (use MBR2GPT; Windows 10/11 includes it)

• Preparation:
  • Suspend BitLocker (if enabled).
  • Close all apps; you must run as Administrator.
• Validate:
  mbr2gpt /validate /allowFullOS
  If validation fails, post the validation errors. Do NOT proceed until validation passes.
• Convert:
  mbr2gpt /convert /allowFullOS
  On success you’ll see confirmation. Reboot and enter firmware.

Post-convert firmware steps (UEFI + Secure Boot)

1. Reboot into UEFI/BIOS setup. Common keys: F2 / Del / F10 / Esc depending on vendor.
2. Set Boot Mode to UEFI (disable CSM / Legacy). Some BIOSes show a “Windows UEFI mode” option — choose that if present.
3. Enable Secure Boot. If the option is greyed out, look for “Restore Factory Keys” or “Enroll Factory Keys” in the Secure Boot menu and choose that — then enable Secure Boot.
4. Save & exit. Windows should boot in UEFI mode.

If Windows won’t boot after switching to UEFI

• Possible causes: conversion didn’t complete, boot entries wrong, storage controller mode mismatch (RAID vs AHCI), or OEM driver issues. Don’t panic — you can:
  • Reboot to firmware and revert to Legacy temporarily.
  • Use Windows USB to run Automatic Repair or bcdboot to recreate UEFI boot files:
  • From WinRE Command Prompt (assuming C: is Windows and S: is EFI):
    bcdboot C:\Windows /l en-us /s S: /f UEFI
  • If storage mode was RAID/IRST, you may need to load Intel RST driver during repair or switch to AHCI carefully (there are steps to change to AHCI without reinstall).

BIOS/firmware updates — only from the vendor

• Do NOT download BIOS from unknown third‑party sites (e.g., random GitHub users or personal pages). Use your PC or motherboard manufacturer’s official support page (Dell, HP, Lenovo, ASUS, Gigabyte, ASRock, MSI, etc..
• Follow the vendor’s BIOS update instructions exactly; a bad BIOS flash can brick the board.

Common pitfalls & troubleshooting

• mbr2gpt can fail if there are too many primary partitions or OEM recovery partitions in the wrong layout — validation will tell you why.
• BitLocker not suspended → conversion will fail to boot.
• Intel RST / RAID setups need vendor drivers; switching to AHCI without preparing Windows can make it unbootable. If you use Intel RST, get the vendor guidance first.
• Secure Boot may require “Restore factory keys” or setting it from “Setup Mode” to “Standard”.
• If you see “Secure Boot: Unsupported” in msinfo32 even after UEFI/GPT, check firmware or BIOS version — update from vendor.

If you’d like I can:

• Walk you through the mbr2gpt validation and conversion step by step (I’ll tell you what to paste back).
• Help find the official BIOS download if you post your exact PC or motherboard model (I’ll link the vendor page).
• Check for RAID/IRST presence (paste output of wmic diskdrive get model,serialnumber or tell me if your storage shows Intel RST in Device Manager).

Want to proceed now?
If yes, start by running and pasting the outputs of:

• diskpart → list disk (paste that output), and
• Open msinfo32 and copy the BIOS Mode and Secure Boot State lines.

I’ll interpret the results and give the exact next command(s).