How to enable Secure Boot in Windows 11

Most modern PCs have Secure Boot enabled by default, but you may need to manually turn it on to meet Windows 11's security requirements

Somebody's finger pressing a button on a laptop keyboard, representing Secure Boot
Secure Boot is a key system requirement for upgrading to Windows 11
(Image credit: Getty Images)
John Loeppky's avatar
By
last updated
Contributions from
in How-to

For IT professionals managing or deploying Secure Boot on Windows 11 systems, its activation is a cornerstone of a robust security posture. Secure Boot is a critical UEFI firmware feature designed to ensure that your PC boots using only software trusted by the Original Equipment Manufacturer (OEM) or the user. This mechanism provides a vital defense against malware that might attempt to compromise the boot process, such as rootkits or bootkits. 

As a mandatory requirement for Windows 11, understanding how to verify and enable Secure Boot is essential. This guide will walk you through checking its status, activating it via the system's firmware (BIOS/UEFI) settings, and troubleshooting common hurdles.

Having Secure Boot enabled on Windows 11 is a critical step for users wanting to run Microsoft's latest operating system in a protected environment. Secure Boot is a security standard developed by members of the PC industry to help make sure that your device boots using only software that is trusted by the PC manufacturer. It’s part of the stringent hardware and software requirements introduced with Windows 11, alongside the need for a compatible CPU, TPM 2.0, and sufficient RAM and storage.

Although most modern PCs ship with Secure Boot enabled by default, some configurations, especially on custom-built machines or older systems upgraded to support Windows 11, may show it as inactive. This often relates to specific BIOS or UEFI firmware settings, such as the Compatibility Support Module (CSM) being active. While enabling Secure Boot significantly strengthens a machine's overall security, there are niche scenarios — such as working with certain older Linux distributions or specialized legacy hardware — where temporarily disabling it might be considered, albeit with increased security risks

Turning on Secure Boot for Windows 11

Secure Boot works by verifying the digital signatures of all boot software, including firmware drivers (Option ROMs), UEFI applications, and the operating system. Before diving into firmware settings, it's prudent to check if Secure Boot is already active, as accessing and navigating the BIOS/UEFI can vary between manufacturers.

How to check if Secure Boot is already enabled

(Image: © Future)

To verify whether Secure Boot is active on your system:

  1. Click Start.

  2. Type System Information into the search bar and press Enter.

  3. In the System Summary section (usually selected by default), scroll through the list to find Secure Boot State.

  4. If the value shows On, then Secure Boot is already enabled. If it shows Off or Unsupported, you’ll need to investigate further and potentially enable it manually via the firmware settings.

How to enable Secure Boot in Windows 11

If Secure Boot is not enabled, you can typically turn it on through the system's UEFI firmware settings (often referred to as BIOS settings):


  1. Access UEFI/BIOS Settings:
    • The most reliable method is often via Windows Recovery Environment: Go to Settings > System > Recovery. Under "Advanced startup," click Restart now. Once the PC restarts to the blue recovery screen, select Troubleshoot > Advanced options > UEFI Firmware Settings, then click Restart.
    • Alternatively, restart your PC and wait for the manufacturer's splash screen. As it appears, repeatedly press the specific key to enter the BIOS/UEFI setup. Common keys include Delete, F2, F10, F12, or Escape. This key can vary significantly by manufacturer (e.g., Dell, HP, Lenovo, ASUS often use F2 or Delete). Consult your PC or motherboard manual if unsure.

2. Navigate the Firmware Menu: Once in the UEFI/BIOS, look for a Boot, Security, or Authentication tab. The exact naming and location differ based on the motherboard manufacturer.

3. Locate the Secure Boot option: Within the relevant section, find the "Secure Boot" setting. It might be a direct toggle or within a sub-menu.

4. Enable Secure Boot: Set the Secure Boot option to Enabled.

5. Ensure UEFI Mode: Secure Boot requires the system to be in UEFI mode, not Legacy BIOS or CSM (Compatibility Support Module) mode. If you see an option for "CSM," "Legacy Boot," or similar, it must be Disabled for Secure Boot to be available or to function correctly. Note: Switching from Legacy/CSM to UEFI mode might make existing OS installations unbootable if the OS was installed in Legacy mode. This often requires an OS reinstall or conversion of the boot disk from MBR to GPT partition style.

6. Save and Exit: Save the changes (usually via a key like F10 or an option in the "Exit" menu) and restart your PC.

Once enabled, your system will use Secure Boot to verify the integrity of the boot process, helping prevent unauthorized software from running during startup.

What is Secure Boot and why is it so important?

Secure Boot acts as a critical system safeguard by meticulously verifying the digital signatures of firmware, bootloaders, and the operating system kernel before they are allowed to run. When your PC starts, Secure Boot ensures that the UEFI firmware itself is signed and trusted, then checks each subsequent piece of critical software in the boot chain.

This process is highly effective against sophisticated malware like rootkits and bootkits. These types of malicious software attempt to load before the operating system, embedding themselves deep within the system to gain privileged access and evade detection by traditional security software. By ensuring that only cryptographically verified and trusted software can execute during the boot sequence, Secure Boot protects the foundational integrity of the operating system.

Introduced with Windows 8, Secure Boot is now a non-negotiable system requirement for Windows 11. Microsoft mandates that all certified x86-based Windows 11 devices must ship with Secure Boot enabled by default, trust Microsoft’s certificates, and, importantly, allow users to manage Secure Boot settings, including the ability to trust non-Microsoft certificates or disable the feature if absolutely necessary (though this is strongly discouraged for general use).

Why would you disable Secure Boot?

Although Secure Boot significantly enhances system security, there are specific, limited scenarios where disabling it might be considered:

It's crucial to understand that turning off Secure Boot reduces your system's protection against pre-boot malware and unauthorized software. It should only be done if essential for a specific task and ideally re-enabled afterward.

Troubleshooting common secure boot issues

Encountering issues when enabling Secure Boot is not uncommon. Here are some frequent problems and their potential solutions:

Secure Boot option is grayed out in BIOS/UEFI:

System won’t boot after enabling Secure Boot:

Secure Boot is enabled in firmware, but Windows still reports it as off:

Further reading on Windows 11 and security

To learn more about Windows 11 security features, check out our other guides. We cover everything from how to boot into Windows 11 Safe Mode to managing encryption tools like BitLocker, ensuring your PC meets the latest security standards. For those exploring Linux or other OS setups, see our articles on comparing Windows 11 with Linux, UEFI settings, and switching to Linux from Windows.

John Loeppky
John Loeppky
Freelance writer

John Loeppky is a British-Canadian disabled freelance writer based in Regina, Saskatchewan. He has more than a decade of experience as a professional writer with a focus on societal and cultural impact, particularly when it comes to inclusion in its various forms.

In addition to his work for ITPro, he regularly works with outlets such as CBC, Healthline, VeryWell, Defector, and a host of others. He also serves as a member of the National Center on Disability and Journalism's advisory board. John's goal in life is to have an entertaining obituary to read.

With contributions from