Secure Boot turns on from UEFI firmware after Windows restarts into Advanced startup, then reports as On in System Information.
A Windows 11 upgrade check can fail on a modern PC, and the setting behind how to enable Secure Boot in Windows 11 lives in UEFI firmware rather than a normal Windows menu. Windows can restart you into the right firmware screen, but the final switch is usually inside the PC maker’s BIOS or UEFI layout.
The short version: confirm the PC boots in UEFI mode, restart into Advanced startup, open UEFI Firmware Settings, turn Secure Boot on, save, then verify the result in Windows. Do not turn off CSM or Legacy Boot until you know Windows is already installed for UEFI boot.
Is Secure Boot Already On?
Secure Boot may already be enabled, even if a game, installer, or upgrade checker says otherwise. Check Windows first so you do not change firmware settings you do not need to touch.
- Press Windows + R.
- Type
msinfo32, then press Enter. - In System Summary, read BIOS Mode and Secure Boot State.
BIOS Mode should say UEFI. Secure Boot State should say On when the job is done. If Secure Boot State says Off, the firmware switch is available but disabled. If it says Unsupported, the PC is usually booting in Legacy mode, the disk layout may be MBR, or the motherboard firmware lacks the needed option.
Enable Secure Boot In Windows 11 From UEFI Firmware
Windows 11 can send the PC straight into the firmware menu, which is easier than pressing a startup key at the perfect moment. Microsoft lists this path as the Windows-side entry point for Secure Boot changes.
- Open Settings.
- Select System > Recovery.
- Under Advanced startup, select Restart now.
- After the blue recovery screen appears, select Troubleshoot.
- Select Advanced options > UEFI Firmware Settings.
- Select Restart.
The PC should restart into a firmware screen from Dell, HP, Lenovo, ASUS, MSI, Gigabyte, Acer, or the motherboard maker. The mouse may work, or the screen may need arrow keys, Enter, and Esc.
| Windows Check | What You Want To See | What It Means |
|---|---|---|
| BIOS Mode | UEFI | The PC is using the boot mode Secure Boot needs. |
| BIOS Mode | Legacy | Secure Boot will not work until the PC boots through UEFI. |
| Secure Boot State | On | No firmware change is needed. |
| Secure Boot State | Off | The setting exists and can usually be enabled in firmware. |
| Secure Boot State | Unsupported | Legacy boot, old firmware, or disk format may be blocking it. |
| BitLocker | Recovery key saved | Firmware changes can trigger a recovery prompt on encrypted PCs. |
| Boot drive layout | GPT | UEFI boot normally uses GPT, not the older MBR layout. |
Inside the firmware menu, open the tab named Security, Boot, Authentication, or Windows OS Configuration. Microsoft’s Windows 11 Secure Boot page notes that the Secure Boot setting is commonly found in those firmware areas.
Set Secure Boot to Enabled. If the firmware offers OS Type, choose Windows UEFI Mode. If the firmware shows Secure Boot Mode, choose Standard unless you have a reason to manage custom keys. Select Save & Exit, often shown as F10, then confirm the restart.
What If Secure Boot Says Unsupported?
Unsupported usually means Secure Boot cannot start because the PC is not booting in UEFI mode. The fix is not simply flipping every boot option you see.
Open System Information again and check BIOS Mode. If it says Legacy, the Windows install may use an MBR system disk. Turning off CSM on an MBR Windows install can leave the PC unable to boot until the firmware setting is restored.
For a PC that already has Windows installed, use the least risky sequence:
- Back up files before changing boot mode.
- Save the BitLocker recovery key if device encryption or BitLocker is on.
- Confirm the system disk is GPT before disabling CSM.
- Update the motherboard or PC firmware if the Secure Boot menu is missing.
- Use the PC maker’s manual when the firmware labels do not match Windows wording.
BIOS Names You May See
Motherboard menus use different labels for the same Secure Boot job. The setting below is the one to choose when the wording appears in your firmware.
| Firmware Label | Choose This | Why It Matters |
|---|---|---|
| Secure Boot | Enabled | Turns on signature checks during startup. |
| OS Type | Windows UEFI Mode | Loads the Microsoft-trusted boot setup many boards expect. |
| CSM | Disabled only after UEFI/GPT is confirmed | Legacy boot can block Secure Boot. |
| Secure Boot Mode | Standard | Uses normal factory keys instead of custom key management. |
| Restore Factory Keys | Use only if keys are missing | Some boards need factory keys loaded before the switch works. |
Verify The Change In Windows
Windows should show the result after the firmware saves and restarts. The confirmation takes less than a minute.
- Press Windows + R.
- Type
msinfo32, then press Enter. - Open System Summary.
- Check Secure Boot State.
Secure Boot State should now show On. If Windows still shows Off, return to the firmware and check whether the change was saved. If the firmware keeps switching back, load factory Secure Boot keys, save again, and recheck.
Use This Sequence Before Changing More Settings
Secure Boot works when the boot mode, disk layout, firmware switch, and Windows verification all line up. Follow this sequence and stop as soon as Windows reports On.
- Check System Information with
msinfo32. - If Secure Boot State is On, make no change.
- If BIOS Mode is UEFI and Secure Boot is Off, restart through Settings > System > Recovery > Advanced startup.
- Open Troubleshoot > Advanced options > UEFI Firmware Settings.
- Turn on Secure Boot, choose Windows UEFI Mode if offered, then save.
- Back in Windows, run
msinfo32again. - If Secure Boot State still is not On, check GPT, CSM, firmware updates, and factory keys before changing anything else.
That sequence avoids the common mistake: treating Secure Boot like a Windows toggle. Windows opens the door, but the motherboard firmware owns the switch.
References & Sources
- Microsoft.“Windows 11 And Secure Boot.”Confirms the Windows restart path into UEFI Firmware Settings and where Secure Boot is commonly found.