How to Enable Secure Boot on Your PC for Windows 11
Windows 11 introduced Secure Boot as a core system requirement — and for good reason. If you've been blocked from upgrading, or you're setting up a new machine and want to make sure it's properly configured, understanding what Secure Boot actually does and how to turn it on is worth getting right the first time.
What Is Secure Boot and Why Does Windows 11 Require It?
Secure Boot is a security standard built into your PC's firmware (the software that runs before your operating system loads). Its job is to verify that the software launching at startup — including the bootloader and early OS components — is digitally signed and trusted by your hardware manufacturer.
Without Secure Boot, malicious software can embed itself into the boot process before Windows even loads, making it nearly invisible to antivirus tools running inside the OS. This class of threat is called a bootkit or rootkit, and it's genuinely difficult to detect or remove once it's established.
Microsoft made Secure Boot a hard requirement for Windows 11 because modern threat landscapes target exactly this low-level attack surface. Alongside TPM 2.0, Secure Boot forms the foundation of Windows 11's hardware-based security model.
What You Need Before Enabling Secure Boot
Not every PC can enable Secure Boot with a single toggle. A few things need to be in place first:
- UEFI firmware (not legacy BIOS) — Secure Boot only works on UEFI systems. Most computers manufactured after 2012 use UEFI, but older machines may still be running in Legacy/CSM mode, which disables Secure Boot.
- GPT partition style — Your system drive needs to use the GUID Partition Table (GPT) format, not the older MBR (Master Boot Record). Secure Boot and Legacy BIOS both relate to this: UEFI mode typically requires GPT.
- Compatible operating system — Windows 10 and 11 both support Secure Boot natively. Older versions of Windows or certain Linux distributions may behave differently depending on their signing status.
You can check your current Secure Boot and partition status by opening the System Information tool (msinfo32) and looking at the Secure Boot State and BIOS Mode fields.
How to Access Your UEFI Firmware Settings 🔧
To enable Secure Boot, you need to enter your PC's firmware settings. The method varies by manufacturer:
Option 1 — Through Windows Settings:
- Go to Settings → System → Recovery
- Under Advanced startup, click Restart now
- Select Troubleshoot → Advanced options → UEFI Firmware Settings
- Click Restart — your PC will boot into firmware
Option 2 — At startup: Press the firmware key during boot. Common keys include Del, F2, F10, or Esc depending on your manufacturer (Dell, HP, Lenovo, ASUS, and MSI each have their own defaults). You typically have a very short window — about 1–2 seconds — to press it before Windows loads.
Enabling Secure Boot in UEFI Firmware
Once inside your firmware interface, the location of the Secure Boot setting varies — but it's usually found under one of these menus:
- Boot tab
- Security tab
- Authentication tab (common on Lenovo systems)
Look for a setting labeled Secure Boot and change it from Disabled to Enabled.
If You See a "CSM" or "Legacy Boot" Option
This is where things get more complex. If your firmware has CSM (Compatibility Support Module) enabled, Secure Boot may be grayed out or unavailable. CSM provides backward compatibility with older operating systems and hardware, but it conflicts with Secure Boot.
To enable Secure Boot, you'll typically need to:
- Disable CSM (or set it to "UEFI only")
- Ensure your boot mode is set to UEFI
- Then enable Secure Boot
⚠️ Important: Switching from Legacy/CSM to UEFI mode on an existing Windows installation — without first converting your drive from MBR to GPT — can prevent your system from booting. If you're doing this on a machine that already has Windows installed, verify your partition style first.
Secure Boot Modes: Standard vs. Custom
Most users should enable Secure Boot in Standard mode, which uses the default set of trusted certificates from Microsoft and hardware vendors. This is what Windows 11 expects.
Custom mode allows you to manually manage the trusted keys — useful for developers, IT administrators, or users running unsigned software or certain Linux distributions. It's not something most home users need to touch.
| Mode | Who It's For | Key Behavior |
|---|---|---|
| Standard | Most Windows users | Uses pre-loaded manufacturer + Microsoft keys |
| Custom | IT pros, developers | Manually managed trusted key database |
| Disabled | Legacy setups | No verification at boot |
After Enabling Secure Boot
Once enabled and saved, your PC will restart. You can confirm Secure Boot is active by reopening System Information (msinfo32) and checking that Secure Boot State now shows On.
If Windows 11 was previously blocking an upgrade due to Secure Boot being off, you can re-run the PC Health Check tool or attempt the upgrade again through Windows Update.
Variables That Affect Your Specific Situation
How straightforward this process is depends heavily on your setup:
- Older hardware may not support Secure Boot at all, regardless of settings
- Custom-built PCs often ship with Secure Boot disabled by default, making the toggle simple — assuming UEFI is already active
- Pre-built OEM machines (Dell, HP, Lenovo) vary in how deeply they bury the setting and whether CSM is pre-enabled
- Dual-boot systems running Linux alongside Windows require careful attention to whether your Linux distribution supports Secure Boot signing
- Drive partition style is the most common hidden blocker — a machine running UEFI firmware but booting from an MBR disk will need conversion before the switch fully takes effect
The technical steps here are consistent across hardware — but whether any of them apply to your machine, and in what order, comes down entirely to how your specific system was set up.