How to Enable Secure Boot in Windows 10: A Complete Guide
Secure Boot is one of those features that sits quietly in the background of modern PCs — until something goes wrong, or until you need it enabled for a specific reason. Whether you're trying to prepare for a Windows 11 upgrade, troubleshoot a startup issue, or simply tighten up your system's security posture, understanding how Secure Boot works and how to enable it is genuinely useful knowledge.
What Is Secure Boot and Why Does It Matter?
Secure Boot is a security standard developed by the PC industry and built into the UEFI firmware (the modern replacement for BIOS) on most computers made after 2012. When enabled, Secure Boot checks every piece of software that loads during startup — including the operating system, drivers, and bootloaders — against a database of trusted digital signatures.
If a piece of software doesn't carry a recognized signature, the system refuses to load it. This makes it significantly harder for rootkits, bootkits, and other low-level malware to embed themselves before Windows even starts.
It's worth being clear about what Secure Boot is not: it doesn't protect you while Windows is running, and it doesn't replace antivirus software. Its job is specifically to guard the boot process — that narrow window between pressing the power button and reaching the Windows desktop.
Before You Start: Key Requirements to Check 🔍
Enabling Secure Boot on a Windows 10 machine isn't always a one-click process. Several factors determine how straightforward it will be for your specific system.
1. Your Firmware Must Be UEFI, Not Legacy BIOS
Secure Boot only works on systems running UEFI firmware. Older machines — and some budget systems — still use legacy BIOS, which doesn't support Secure Boot at all.
To check which mode your system uses:
- Press Windows + R, type
msinfo32, and press Enter - Look for BIOS Mode in the System Information window
- If it says UEFI, you're compatible. If it says Legacy, Secure Boot isn't available without a firmware update or hardware change.
2. Your Drive Must Use the GPT Partition Style
Secure Boot requires your system drive to use the GPT (GUID Partition Table) format rather than the older MBR (Master Boot Record) format. You can check this in Disk Management or by running diskpart in Command Prompt and using the list disk command — a disk using GPT will show an asterisk (*) under the GPT column.
Switching from MBR to GPT is possible on Windows 10 using the mbr2gpt tool, but it carries risk. Back up your data before attempting any partition changes.
3. Windows Must Be Installed in UEFI Mode
Even on a UEFI-capable machine, if Windows was installed in Legacy/CSM (Compatibility Support Module) mode, enabling Secure Boot can prevent the system from booting. The OS installation mode and the firmware mode need to match.
How to Enable Secure Boot: Step-by-Step
Once you've confirmed your system meets the requirements, the process involves accessing your UEFI firmware settings.
Step 1: Open Windows Settings Go to Settings → Update & Security → Recovery. Under Advanced Startup, click Restart Now.
Step 2: Access UEFI Firmware Settings After your PC restarts, select Troubleshoot → Advanced Options → UEFI Firmware Settings → Restart. Your PC will reboot directly into the firmware interface.
Alternatively, you can press the firmware key during startup — commonly F2, F10, F12, Del, or Esc, depending on your manufacturer. This varies by brand, so checking your device documentation is worth the minute it takes.
Step 3: Locate the Secure Boot Option Inside the UEFI interface, look for a Security, Boot, or Authentication tab. The exact layout differs significantly between manufacturers — Dell, HP, Lenovo, ASUS, and MSI all organize these menus differently.
Step 4: Change Secure Boot to Enabled Find the Secure Boot setting and switch it from Disabled to Enabled. If you see an option for Secure Boot Mode, the setting should typically be Standard (not Custom, unless you have specific key management needs).
Step 5: Save and Exit Save your changes — usually by pressing F10 — and allow the system to restart normally.
Common Complications You Might Encounter ⚠️
| Situation | What It Means |
|---|---|
| Secure Boot option is grayed out | May need to set a supervisor/admin password in UEFI first |
| System won't boot after enabling | Windows was likely installed in Legacy mode |
| Option isn't visible at all | Firmware may not support Secure Boot, or CSM/Legacy mode is active |
| "Setup Mode" appears | Secure Boot keys may need to be restored to factory defaults |
If CSM or Legacy support is currently active in your UEFI settings, disabling it is often required before Secure Boot becomes available — but doing so on a system with an MBR drive or a Legacy Windows installation will break booting.
The Variables That Change Everything
This is where individual setups diverge meaningfully. A relatively new laptop running Windows 10 that shipped with UEFI and GPT will likely have Secure Boot as a straightforward toggle. A desktop PC that was upgraded from Windows 7, originally installed on an MBR drive, and running older hardware may face a chain of prerequisites — firmware updates, partition conversion, Windows reinstallation — before Secure Boot is a realistic option.
Your technical comfort level matters here too. Navigating UEFI menus and converting partition tables are intermediate-level tasks. Getting something wrong in firmware settings can leave a machine unbootable. The steps themselves aren't complex, but they reward careful attention and preparation.
The right path forward depends on what your specific machine's firmware supports, how Windows was originally installed, and how much disruption you're willing to accept to get there. That context — your hardware, your installation history, your tolerance for risk — is the piece no general guide can fill in for you.