Can't clean install W11 from usb on a new laptop

pat3 · Nov 10, 2025

I have a brand new HP laptop and i want to do a clean install of W11 to get rid of the pre installed software and other unnecessary stuff. I prepared the installation media (usb stick) succesfully, just like i've done so many times on W10. Then i went to check that the stock bios/uefi settings are ok (secure boot, tpm, usb boot all enabled). Finally i tried to boot from the usb stick (it said uefi next to the boot option) and it fails to do that, telling me "Invalid signature detected. Check secure boot policy in setup."

I have no idea why this is happening. I've done this so many times on W10 machines. I even tried to update the BIOS, but no help. The laptop model has just been released and came with W11, so hardware is obviously compatible. Any ideas?

garlin · Nov 10, 2025

Secure Boot is disallowing the USB's boot file due to your UEFI's current set of security certificates.

With a brand new laptop, it'll depend on how it was shipped from the factory. The possibilities are:

- UEFI only recognizes the older CA 2011 certs, and doesn't allow USB drives with newer CA 2023-signed boot files

- UEFI recognizes both CA 2011 and CA 2023 certs, and allows all USB drives to boot

- UEFI only recognizes the newer CA 2023 cert, and doesn't allow USB drives with older CA 2011-signed boot files

For now, temporarily disable Secure Boot in BIOS and you'll be allowed to boot whatever you want. After you get W11 up and running, it will be easier to run a script or set of commands to see what is your exact situation with UEFI certs and the original USB drive.

It's ideal to have Secure Boot for a live system, but it's not required for the purpose of installing Windows.

Bree · Nov 10, 2025

pat3 said:
i tried to boot from the usb stick (it said uefi next to the boot option) and it fails to do that, telling me "Invalid signature detected. Check secure boot policy in setup."

Welcome to Eleven Forum.

garlin said:
Secure Boot is disallowing the USB's boot file due to your UEFI's current set of security certificates....
....For now, temporarily disable Secure Boot in BIOS and you'll be allowed to boot whatever you want.

Garlin is correct, Secure Boot is not allowing you to boot from the USB.

You can turn off Secure Boot and still be able to install Windows 11. The requirement is that the PC is capable of Secure Boot, it doesn't need to be turned on to qualify as a supported device.

Anibor_11 · Nov 10, 2025

Another option: in the UEFI setup [BIOS], look for the option "Enable MS UEFI CA key". If present, enable it and exit saving changes.

If the option exists but is grayed out, disable Sure Start, exit and save the change, before enabling the UEFI CA Key.

pat3 · Nov 11, 2025

garlin said:
Secure Boot is disallowing the USB's boot file due to your UEFI's current set of security certificates.

With a brand new laptop, it'll depend on how it was shipped from the factory. The possibilities are:

- UEFI only recognizes the older CA 2011 certs, and doesn't allow USB drives with newer CA 2023-signed boot files
- UEFI recognizes both CA 2011 and CA 2023 certs, and allows all USB drives to boot
- UEFI only recognizes the newer CA 2023 cert, and doesn't allow USB drives with older CA 2011-signed boot files

For now, temporarily disable Secure Boot in BIOS and you'll be allowed to boot whatever you want. After you get W11 up and running, it will be easier to run a script or set of commands to see what is your exact situation with UEFI certs and the original USB drive.

It's ideal to have Secure Boot for a live system, but it's not required for the purpose of installing Windows.

Maybe I'll try if i can see what certs are supported on the machine right now.

About disabling secure boot: i've read somewhere that disabling it may trigger bitlocker and lock the machine, requiring the key to unlock it. Is this true and can i prevent this from happening by disabling bitlocker first in Windows? This is a good thing to note as i think bitlocker is on by default nowadays.

garlin · Nov 11, 2025

You're probably thinking of "if you change the Secure Boot certs without suspending BitLocker first, BitLocker wants you to provide a recovery key".

garlin · Nov 11, 2025

You can run this PS script (as Administrator) to check your current UEFI certs:

Code:

powershell -ep bypass -f \path\to\save\folder\Check_EFIBootFile.ps1

Helmut · Nov 11, 2025

pat3 said:
Any ideas?

Not an idea, but experience says do not do a so-called clean install. You will end up inducing problems, part of which is because of the integrated hardware of Laptops.

Some of the pre-installed software is useful. You can uninstall at your leisure stuff like Trial versions of MS Office, AV Apps, etc, possibly other stuff.

HarleyQuinn · Nov 11, 2025

why you want to delete hp recovery oem partition? many people search for that after accidentally delete. You can do reset under windows 11 setting instead of install from usb

Can't clean install W11 from usb on a new laptop

New member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

New member

My Computer

Well-known member

My Computer

Well-known member

Attachments

My Computer

Well-known member

My Computer

Well-known member

My Computers

Similar threads