How to Enable Secure Boot on Your PC or Laptop
Secure Boot is one of those settings that sits quietly in your system firmware until Windows setup — or a security audit — suddenly makes it impossible to ignore. Whether you're installing Windows 11, troubleshooting a compatibility error, or just hardening your system, understanding how Secure Boot works and what it takes to enable it will save you a lot of frustration.
What Is Secure Boot and Why Does It Matter?
Secure Boot is a security standard built into your computer's UEFI firmware (the modern replacement for BIOS). When enabled, it verifies that the software loading during startup — your bootloader and operating system — has been digitally signed by a trusted source.
The goal is straightforward: prevent malicious software, particularly bootkits and rootkits, from loading before your operating system has a chance to defend itself. These low-level threats are especially dangerous because they operate beneath the OS layer, making them difficult to detect or remove once installed.
Microsoft made Secure Boot a requirement for Windows 11, which brought it into the spotlight for many users who had previously never touched the setting.
What You Need Before You Start 🔒
Enabling Secure Boot isn't a single-click operation. A few conditions need to be in place first.
Your system must use UEFI firmware, not legacy BIOS. Most computers manufactured after 2012 use UEFI, but older machines — or machines set to run in Legacy/CSM mode — won't support Secure Boot properly.
Your drive must be formatted as GPT (GUID Partition Table), not MBR (Master Boot Record). Legacy BIOS systems typically use MBR. If your drive is still MBR and you're running in Legacy mode, enabling Secure Boot will likely cause your system to fail to boot.
Your operating system must support Secure Boot. Windows 8 and later, modern Linux distributions (using signed bootloaders like shim), and recent versions of macOS on Intel all support it to varying degrees.
How to Check Your Current Secure Boot Status
Before making any changes, check what state your system is already in.
On Windows:
- Press
Windows + R, typemsinfo32, and press Enter - In System Information, look for Secure Boot State — it will show On, Off, or Unsupported
- Also check BIOS Mode — it should say UEFI, not Legacy
If it says Unsupported, your hardware may not be compatible, or your firmware may be running in a legacy mode.
How to Enable Secure Boot in UEFI Firmware Settings
The process varies by manufacturer, but the general path is consistent.
Step 1: Enter your UEFI/BIOS settings Restart your computer and press the firmware key during startup. Common keys include:
- Del or F2 — most desktop motherboards and many laptops
- F10 — HP systems
- F1 — Lenovo
- Esc then F10 — some HP models
If you can't catch the key in time, you can access UEFI settings from within Windows by going to Settings → System → Recovery → Advanced Startup → Restart Now, then navigating to Troubleshoot → Advanced Options → UEFI Firmware Settings.
Step 2: Disable CSM/Legacy mode (if active) Look for a setting labeled CSM (Compatibility Support Module) or Legacy Boot and disable it. This forces the system into full UEFI mode. ⚠️ Do this only if your OS is already installed on a GPT-formatted drive — otherwise your system won't boot.
Step 3: Find the Secure Boot setting It's typically found under a tab labeled Boot, Security, or Authentication depending on your firmware interface. The setting will be listed as Secure Boot with an Enable/Disable toggle.
Step 4: Set Secure Boot to Enabled Select Enabled and confirm. Some firmware will also let you choose between Standard and Custom mode — Standard uses Microsoft's built-in keys, which is appropriate for most Windows users.
Step 5: Save and exit Save your changes (usually F10) and let the system reboot.
Common Complications and What Causes Them
| Situation | What It Means |
|---|---|
| System won't boot after enabling | Drive is likely MBR or OS isn't signed |
| Secure Boot option is grayed out | CSM/Legacy mode may still be active |
| "Secure Boot Unsupported" in msinfo32 | Hardware is too old or firmware is outdated |
| Linux won't boot | Distro may need a signed shim bootloader |
| Dual-boot systems break | Each OS needs proper Secure Boot support |
Dual-boot setups introduce meaningful complexity. Linux distributions vary in how they handle Secure Boot — some work seamlessly with signed bootloaders, others require disabling it entirely or enrolling custom keys. The right approach depends heavily on which distributions you're running and how they were installed.
The Variables That Determine Your Exact Steps
No two systems go through this process identically. Several factors shape what you'll actually encounter:
- Motherboard manufacturer and firmware version — the menu layout, available options, and terminology differ significantly between ASUS, Gigabyte, MSI, Dell, HP, Lenovo, and others
- Whether your OS was installed in UEFI or Legacy mode — this determines whether switching modes is safe without reinstalling
- GPT vs MBR partition table — Windows offers a tool (
mbr2gpt) to convert without data loss, but it has its own requirements and edge cases - Your use of third-party drivers or older hardware — some older peripherals and unsigned drivers can conflict with Secure Boot in specific configurations
Whether the process takes two minutes or two hours depends almost entirely on the state your system is already in.