Enabling Secure Boot on Windows 10 requires entering the UEFI firmware settings and turning the feature on there, not inside Windows itself.
Learning how to enable Secure Boot on Windows 10 starts with knowing where the toggle actually lives — inside the UEFI firmware menu, not the Windows Settings app. Most people who think they can’t enable it are simply looking in the wrong place. The fix is a few clicks and a single restart. This guide covers the exact sequence, the prerequisites your system needs, and what to try if the option is grayed out or missing.
Setting Up Secure Boot On Windows 10: The Action Sequence
The only way to enable Secure Boot is through your PC’s firmware interface. Windows 10 provides a direct shortcut to that menu from the desktop. If your system already uses UEFI firmware — which most modern Windows 10 machines do — this path works immediately.
- Open Settings.
- Go to Update & Security.
- Click Recovery.
- Under Advanced startup, click Restart now.
- The machine reboots into a blue menu. Click Troubleshoot.
- Click Advanced options.
- Click UEFI Firmware Settings.
- Click Restart. The PC boots directly into the firmware interface.
- Locate the Secure Boot setting. It is usually under a Boot, Security, or Authentication tab.
- Set it to Enabled.
- Navigate to the Save & Exit tab or press F10 to save the changes. Select Yes to confirm.
The PC reboots normally. Secure Boot is now active. Microsoft’s official Secure Boot guidance confirms this is the correct path for Windows 10 systems using UEFI firmware.
What Your System Needs Before Enabling Secure Boot
Secure Boot is a UEFI security standard. If your system is still configured for Legacy BIOS mode or uses an MBR disk, the toggle in the firmware will either be hidden or do nothing. Run through this checklist before diving into the firmware settings.
| Condition | What To Check Or Do |
|---|---|
| Firmware Mode: UEFI | Open msinfo32 and check BIOS Mode. If it says Legacy, you must convert. |
| Disk Partition: GPT | MBR disks are incompatible with UEFI. Use the MBR2GPT.exe tool from a Windows 10 Admin command prompt (mbr2gpt /convert /allowFullOS). |
| CSM / Legacy Boot: Disabled | In the firmware, find CSM or Compatibility Support Module and set it to Disabled. |
| OS Type: Windows UEFI Mode | Some firmwares have a dedicated OS type option. Set it to Windows 10 or Windows UEFI Mode. |
| Secure Boot Mode: Standard | If the setting is on Custom, switch to Standard or Factory Default keys. Otherwise, the toggle may stay grayed out. |
| Administrator Password: Set | A small number of OEM boards require an administrator password to be set in the firmware before Secure Boot can be enabled. |
| Power: AC Connected | A power loss during firmware changes can brick the board. Plug in your laptop or connect a UPS. |
What If The Secure Boot Option Is Missing Or Grayed Out?
The most common reason the toggle is locked is that the system is still running in Legacy BIOS mode. Microsoft Q&A explicitly states that a Windows 10 installation in Legacy BIOS mode cannot enable Secure Boot. The fix is to convert the system to UEFI without reinstalling Windows.
Here is the exact fix sequence:
- Open an elevated Command Prompt and run
mbr2gpt.exe /validate /allowFullOS. If it passes, runmbr2gpt.exe /convert /allowFullOS. - Shut the system down and enter the firmware setup (F2, F10, Del).
- Disable CSM or Legacy Boot.
- Change the Boot Mode from Legacy to UEFI.
- Go back to Advanced startup and enter UEFI Firmware Settings. The Secure Boot toggle should now be available.
If the toggle is still missing after the conversion, check whether the firmware requires the Secure Boot keys to be reset. Navigate to the Key Management section and select Install Default Secure Boot Keys. Asus support explicitly warns that the configuration must be saved before the Secure Boot state updates, so always use Save & Exit.
How To Verify Secure Boot Is Active On Your PC
One quick check confirms everything is working. Press Win + R, type msinfo32, and press Enter. Look for two values:
- BIOS Mode: Must read UEFI.
- Secure Boot State: Must read On.
Dell’s support documentation confirms that Secure Boot is active only when both of those conditions are met. If it still reads Off or Unsupported, the machine likely still has CSM enabled or the conversion did not fully complete.
OEM-Specific Firmware Key Reference
The menu names vary by manufacturer. Use this table to find the correct key and setting name for your machine.
| Manufacturer | Firmware Key | Setting Location |
|---|---|---|
| Dell | F2 | Boot → Secure Boot → Enabled |
| HP | F10 / Esc | Security → Secure Boot Configuration |
| Lenovo | F1 / F2 | Security → Secure Boot |
| Asus | F2 / Del | Boot → Secure Boot → OS Type set to Windows UEFI Mode |
| Acer | F2 | Boot → Secure Boot → Enabled |
| MSI | Del | Settings → Security → Secure Boot |
| Gigabyte | F2 / Del | BIOS → Secure Boot → Enabled |
Secure Boot Setup Checklist
Run through this final sequence after any changes to confirm the system is fully set up.
- Check
msinfo32for UEFI and On. - If it is still off, confirm CSM is disabled in the firmware.
- If it is missing, verify the disk is GPT using Disk Management.
- If the button is grayed out, install the Default Secure Boot Keys from the firmware’s Key Management menu.
References & Sources
- Microsoft Support. “Windows 11 and Secure Boot” Documents the Advanced startup path for setting Secure Boot in UEFI firmware.