How to Check If Secure Boot Is Enabled on Your PC
Secure Boot is one of those features that quietly does its job in the background — until something goes wrong, or until Windows 11 asks about it during setup. Whether you're troubleshooting a failed OS upgrade, verifying your system's security posture, or just curious about what's running under the hood, checking Secure Boot status takes less than a minute once you know where to look.
What Secure Boot Actually Does
Secure Boot is a security standard built into your PC's firmware (UEFI) that controls which software is allowed to run during the boot process. When your computer starts, Secure Boot checks that the bootloader and early OS files carry a trusted digital signature. If something unsigned or tampered with tries to load — like a bootkit or rootkit — Secure Boot blocks it before the OS even starts.
It was developed as part of the UEFI (Unified Extensible Firmware Interface) specification and has been supported on most consumer PCs since around 2012. Microsoft made it a hard requirement for Windows 11, which is why many users first encountered it during the upgrade checker process.
Secure Boot status exists in one of three states:
- Enabled — active and enforcing signature checks
- Disabled — present in firmware but turned off
- Not supported — older hardware using legacy BIOS instead of UEFI
How to Check Secure Boot Status in Windows 🔍
Method 1: System Information Tool (msinfo32)
This is the fastest method and works on Windows 10 and Windows 11.
- Press Windows + R to open the Run dialog
- Type
msinfo32and press Enter - In the System Summary panel on the left, look at the right-hand pane
- Find the row labeled Secure Boot State
You'll see one of three values: On, Off, or Unsupported.
This method requires no admin privileges and gives you an immediate answer without touching any settings.
Method 2: PowerShell Command
For users comfortable with the command line:
- Open PowerShell (search for it in the Start menu)
- Type the following and press Enter:
Confirm-SecureBootUEFI - If the result is True — Secure Boot is enabled
- If the result is False — Secure Boot is disabled
- If you get an error saying the cmdlet isn't recognized or the system doesn't support it — you're likely running legacy BIOS, not UEFI
Method 3: Windows Security App
On Windows 11, you can also check through the built-in security dashboard:
- Open Windows Security from the Start menu or system tray
- Go to Device Security
- Click Security processor details or look under Secure Boot
This view is designed for general users and shows status in plain language, though it offers less detail than msinfo32.
Checking Secure Boot on Non-Windows Systems
Linux users can check Secure Boot status using the terminal:
mokutil --sb-state This returns either SecureBoot enabled or SecureBoot disabled. The mokutil package may need to be installed first depending on your distribution.
Mac users don't interact with Secure Boot the same way. Apple Silicon Macs and Intel Macs with a T2 chip have their own Startup Security Utility, accessible through macOS Recovery. The concept is similar — controlling which OS can boot — but the implementation and terminology differ from the UEFI standard used on Windows PCs.
What Affects Secure Boot Status
Not every PC handles Secure Boot identically. Several variables determine what you'll find:
| Factor | How It Affects Secure Boot |
|---|---|
| Firmware type | UEFI supports Secure Boot; legacy BIOS does not |
| PC age | Most pre-2012 machines lack Secure Boot entirely |
| OEM configuration | Some manufacturers ship with Secure Boot off by default |
| Custom OS installs | Linux or dual-boot setups sometimes require disabling it |
| Virtualization use | Some hypervisors and older drivers conflict with Secure Boot |
| BIOS updates | Firmware updates can sometimes reset Secure Boot settings |
If Secure Boot shows as Unsupported, the machine is running in Legacy BIOS mode rather than UEFI — and enabling Secure Boot would require converting the disk partition style from MBR to GPT, which is a more involved process.
If it shows as Off on a UEFI system, it can generally be re-enabled in the UEFI firmware settings (accessed by pressing a key like F2, F10, Del, or Esc during startup, depending on the manufacturer).
Why the Status Matters — and When It Doesn't 🛡️
For most standard Windows 10 and 11 users on modern hardware, having Secure Boot enabled is the straightforward choice. It's part of Microsoft's baseline security stack and works alongside TPM 2.0 and Windows Defender to provide layered protection against low-level threats.
But the picture changes depending on use case. Developers running custom OS builds, security researchers, users running certain virtualization platforms, or people running Linux distributions that use their own boot signing keys may have legitimate reasons to run with Secure Boot disabled or configured differently. Some older peripheral drivers and niche hardware also have compatibility quirks with Secure Boot enabled.
Knowing your current status is the starting point. What's appropriate from there depends on how your machine is used, what software it runs, and what your actual security requirements are — and those details sit with you, not in a general guide.