How to enable Secure Boot in Windows 11

Somebody's finger pressing a button on a laptop keyboard, representing Secure Boot
Secure Boot is a key system requirement for upgrading to Windows 11 (Image credit: Getty Images)

Having Secure Boot enabled on Windows 11 is one of a number of compulsory steps for those wishing to install and run Microsoft's newest operating system.

Secure Boot is a security feature that allows you to boot up your computer in a secure environment to prevent malicious software from running. It joins the CPU, RAM, and storage specifications that make up Windows 11's minimum requirements.

Not all machines will meet this bar, but most modern systems should have the Secure Boot module enabled alongside TPM 2.0.

Unlike Windows 10, Microsoft has made Secure Boot a fundamental requirement for upgrading to Windows 11, a move designed to strengthen the security posture of individual machines. Although most modern PCs are capable of Secure Boot, certain settings could be enabled that prevents Secure Boot from appearing as if it’s active.

While most modern machine configurations allow for Secure Boot to run, some machines may have the capability hidden in the back end. There are also particular cases in which you won’t want Secure Boot to run, such as if you’re playing with specific Linux instances or older versions of Windows. Turning off Secure Boot can be advantageous in these cases.

Turning on Secure Boot for Windows 11

The Secure Boot tool checks the digital signature of drivers, the operating system, and firmware when you turn on the PC. The processing for enabling Secure Boot is a little involved, so it's worth doing a check to see if the tool is already turned on.

How to check if Secure Boot is already enabled

(Image: © Future)

To check if Secure Boot is already enabled:

  1. Click Start
  2. Type System Information into the search bar and hit Enter
  3. Search through the list of system data to find Secure Boot
  4. Check whether the label says on or off

How to enable Secure Boot in Windows 11

Should Secure Boot not be turned on for any reason, Windows makes it relatively straightforward to rectify:

  1. Restart the PC and wait for the BIOS splash screen to appear
  2. Once it appears, press the button that opens the BIOS window – usually Delete or F12
  3. The BIOS menu will vary depending on the manufacturer, but you need to find the security settings page – this could be under advanced settings
  4. You will need to hunt for the option to turn on Secure Boot - this will likely be a toggle or a drop down box
  5. Exit BIOS and save the settings
  6. Restart the system

What is Secure Boot and why is it so important?

Secure Boot is a security tool that acts like a system of checks and balances. Instead of turning on your computer and performing the technological equivalent of crossing its fingers and hoping no malware is present, Secure Boot checks the digital signature of drivers, the operating system, and firmware.

For instance, when a PC fitted with UEFI starts, it verifies the firmware is digitally signed. Having Secure Boot active means it checks the bootloader’s digital signature to ensure it hasn’t been modified. The bootloader then starts if it passes these checks. If the checks across the board don’t add up, Secure Boot will send the system into a recovery procedure to make sure things are back in order.

Secure Boot is designed to combat the threat of rootkits. This is a sophisticated malware family that runs in kernel mode with the same privileges as the underlying OS. These strains can hide completely, bypass logins, record passwords, and capture cryptographic data, among other nefarious functions. Bootkits, in particular, are the specific breed of rootkit that Secure Boot aims to protect against. These replace the bootloader so the PC loads the bootkit rather than the PC’s own instance.

Secure Boot isn’t a new feature. It was introduced during the Windows 8 era and shipped with every Windows 10 device. Now, Secure Boot is one of the many core system requirements to run Windows 11. All certified x86-based Windows PCs must have Secure Boot enabled by default, trust Microsoft’s certificate, allow the user to configure Secure Boot to trust other bootloaders for non-Microsoft software, and allow the user to disable Secure Boot altogether. Any changes to Secure Boot, however, must be done manually, as this prevents software from altering settings or turning off this layer of protection.

John Loeppky is a British-Canadian disabled freelance writer based in Regina, Saskatchewan. His work has appeared for the CBC, FiveThirtyEight, Defector, and a multitude of others. John most often writes about disability, sport, media, technology, and art. His goal in life is to have an entertaining obituary to read.

With contributions from