How to Enable Secure Boot on Your PC or Laptop
Secure Boot is one of those settings that quietly does important work in the background — and most people only think about it when Windows 11 refuses to install, or a security scan flags it as disabled. Enabling it isn't complicated, but the exact steps vary more than most guides admit. Here's what you actually need to know.
What Secure Boot Does (and Why It Matters)
Secure Boot is a security standard built into your computer's firmware — specifically UEFI (Unified Extensible Firmware Interface), the modern replacement for the older BIOS system. When enabled, Secure Boot verifies that the software loading during startup is digitally signed and trusted. If something unauthorized tries to run before your operating system loads — like a bootkit or rootkit — Secure Boot blocks it.
In practical terms, this means:
- Your system checks bootloaders and OS files against a database of trusted signatures before handing off control
- Unsigned or tampered code gets blocked at the firmware level, before Windows or Linux even starts
- It's a core requirement for Windows 11, which is why it's become a topic of interest for many users upgrading from Windows 10
Secure Boot doesn't protect against everything — it's specifically a pre-boot protection mechanism, not a replacement for antivirus software or good security hygiene.
Check Whether Secure Boot Is Already Enabled
Before diving into UEFI settings, confirm your current status:
- Press Windows + R, type
msinfo32, and press Enter - In the System Information window, look for "Secure Boot State" in the right pane
- It will show On, Off, or Unsupported
If it says On, you're already done. If it says Unsupported, your system may be running in Legacy BIOS mode rather than UEFI, which is a separate issue requiring additional steps before Secure Boot can be enabled.
How to Access UEFI Firmware Settings
Secure Boot is configured inside your UEFI/BIOS firmware, not within Windows itself. Getting there varies by manufacturer:
| Manufacturer | Common UEFI Access Key |
|---|---|
| Dell | F2 or F12 at startup |
| HP | F10 or Esc at startup |
| Lenovo | F1, F2, or the Novo button |
| ASUS | Delete or F2 at startup |
| MSI | Delete at startup |
| Acer | F2 or Delete at startup |
| Microsoft Surface | Hold Volume Up while pressing Power |
The key must be pressed immediately after powering on, before Windows starts loading. If Windows loads, restart and try again.
On Windows 10/11, you can also access UEFI settings through the OS:
- Go to Settings → System → Recovery → Advanced Startup → Restart Now
- After reboot, choose Troubleshoot → Advanced Options → UEFI Firmware Settings → Restart
Enabling Secure Boot in UEFI 🔒
Once inside your UEFI interface, the location of the Secure Boot setting differs by firmware design, but it's typically found under:
- Security tab
- Boot tab
- Authentication tab (on some Lenovo and HP systems)
Steps once you locate it:
- Find Secure Boot and change its value to Enabled
- If Secure Boot is grayed out or unavailable, check whether your boot mode is set to UEFI (not Legacy/CSM) — Secure Boot cannot function in Legacy mode
- Save changes (usually F10) and exit — your system will restart
Some firmware interfaces also display a Secure Boot Mode option set to Standard or Custom. For most users, Standard is the correct choice, as it uses Microsoft's pre-loaded trusted certificate database.
The CSM and Legacy Boot Complication
This is where many users hit a wall. CSM (Compatibility Support Module) enables Legacy BIOS boot mode alongside UEFI, primarily for older hardware compatibility. When CSM is active, Secure Boot is often automatically disabled or unavailable.
If you need to disable CSM to enable Secure Boot, be aware:
- Disabling CSM can prevent older operating systems or hardware from functioning correctly
- If your drive is partitioned with MBR (Master Boot Record) instead of GPT (GUID Partition Table), you may need to convert it before switching — otherwise Windows won't boot
- Converting MBR to GPT without reinstalling Windows is possible using Microsoft's
mbr2gpttool, but it carries risk and requires care
Whether disabling CSM is practical for your setup depends on what else is installed on your system.
Platform Key and "Setup Mode" — What These Mean
Some firmware shows Secure Boot as being in "Setup Mode" even when toggled on. This means no Platform Key (PK) is enrolled — the root certificate that anchors the Secure Boot trust chain. For standard Windows installations, the Platform Key is enrolled automatically during Windows installation on UEFI systems. If yours is missing, you may need to restore factory keys through an option typically labeled "Restore Factory Keys" or "Install Default Secure Boot Keys" in your firmware. ⚙️
Secure Boot and Linux Dual-Boot Setups
Linux distributions handle Secure Boot differently. Major distributions like Ubuntu, Fedora, and Linux Mint use signed bootloaders (like shim) that are compatible with Secure Boot. Others may require you to disable it, enroll a custom key, or use a workaround depending on the kernel modules in use.
If you dual-boot Windows and Linux, enabling Secure Boot may or may not cause issues — it depends on which distribution you're running, which kernel version, and whether any third-party drivers (like certain GPU or Wi-Fi drivers) are unsigned.
What Actually Determines Whether This Goes Smoothly
The process looks simple on paper — a few firmware menu changes — but the real-world experience varies based on factors specific to your machine:
- Firmware age and design: Older UEFI implementations have less intuitive interfaces and fewer options
- Current boot mode: UEFI vs. Legacy/CSM changes the entire path you need to take
- Partition style: GPT vs. MBR affects whether you can safely switch boot modes
- Operating system configuration: Fresh Windows 11 installs are typically already Secure Boot-ready; upgraded systems from older Windows versions may have legacy remnants
- Additional OSes or custom bootloaders: Any non-standard boot setup adds complexity 🖥️
A system that shipped with Windows 11 and has never been modified will enable Secure Boot in about two minutes. A system that's been through multiple OS installs, partition changes, or custom firmware tweaks may require several preparatory steps first. Your specific configuration is what determines which version of this process you're actually looking at.