You cannot enable Secure Boot from within Windows itself, but you can reach the UEFI firmware settings through Windows 10’s Advanced Startup menu — no BIOS key required.
Secure Boot is a firmware-level security feature, not a Windows toggle. That means the setting lives inside your motherboard’s UEFI interface, often called BIOS setup. If you’re trying to avoid the usual frantic F2/Del tapping at boot, Windows 10 gives you a direct path into those firmware settings from the desktop. The process takes a few minutes and works on any UEFI-capable PC — no special key press needed.
There’s no software trick to flip Secure Boot from inside Windows itself. The only route is through the firmware, and the method below gets you there cleanly.
The Only Way: Access UEFI Firmware From Windows 10
Use Windows 10’s Advanced Startup environment to land directly in the firmware setup screen. This works regardless of how fast your PC boots or which BIOS key your motherboard uses.
- Open Settings > Update & Security > Recovery.
- Under Advanced startup, click Restart now. Your PC will reboot into a blue menu.
- Select Troubleshoot > Advanced options > UEFI Firmware Settings.
- Click Restart. The system boots straight into your firmware interface.
From there, look for a Secure Boot option — it’s often under Boot, Security, or Authentication tabs. Set it to Enabled (or On), then save and exit. The exact label varies by manufacturer but the logic is identical.
Verify Secure Boot Status Before You Start
Check your current configuration so you know what needs to change. Open the Run box with Windows + R, type msinfo32, and press Enter. In System Information, look for two entries:
- BIOS Mode: UEFI or Legacy. Secure Boot requires UEFI.
- Secure Boot State: On, Off, or Unsupported.
If BIOS Mode says Legacy, you cannot enable Secure Boot until the system boots in UEFI mode. That usually means converting your system disk from MBR to GPT and switching the firmware boot mode from Legacy to UEFI.
What If BIOS Mode Shows Legacy
A Legacy BIOS mode or an MBR partition table blocks Secure Boot. The fix is two-fold: convert the disk to GPT and change the firmware to UEFI-only mode.
Your personal files, apps, and Windows installation remain intact — the conversion tool is built into Windows 10.
| Issue | Symptom | Solution |
|---|---|---|
| Can’t enter firmware setup | PC boots too fast to press a key | Use Windows Advanced Startup to access UEFI firmware |
| Secure Boot option missing | Setting not visible in firmware | Set boot mode to UEFI and disable CSM/Legacy |
| System won’t boot after enabling Secure Boot | Black screen or boot loop | Convert disk from MBR to GPT using mbr2gpt |
| Secure Boot stays “Off” after enabling | Setting doesn’t stick | Disable Compatibility Support Module (CSM) |
| Secure Boot state says “Unsupported” | No option available in firmware | Hardware too old — no workaround |
| Can’t find Secure Boot in firmware | Different vendor layouts | Check Boot, Security, or Authentication tabs |
| Windows won’t start after MBR→GPT conversion | Boot device not found | Change boot mode from Legacy to UEFI and ensure Windows Boot Manager is first |
Convert MBR to GPT Without Reinstalling
Microsoft’s mbr2gpt tool can switch your system disk without data loss. Open an administrative PowerShell or Command Prompt and run:
mbr2gpt /convert /disk:0 /allowfullOS
After the conversion finishes, shut down the PC, enter the firmware setup, and change the boot mode from Legacy/CSM to UEFI. Save and exit — Windows will boot normally with the disk now in GPT format and ready for Secure Boot.
To confirm the disk is GPT before converting, open Disk Management, right-click the OS disk (usually C:), choose Properties > Volumes, and check the Partition style line.
| Feature | MBR | GPT |
|---|---|---|
| Maximum partitions | 4 primary (or 3 + extended) | 128 primary |
| Maximum partition size | 2 TB | 9.4 ZB |
| UEFI required for boot | No (works with Legacy BIOS) | Yes |
| Secure Boot compatible | No | Yes |
| Data redundancy | No backup boot sector | Two copies of partition table |
| Legacy BIOS support | Full | Limited (requires CSM) |
| Conversion tool | N/A | mbr2gpt (built into Windows 10) |
Enable Secure Boot in Your Firmware
Once the disk is GPT and the firmware boot mode is set to UEFI, enabling Secure Boot is straightforward.
- Enter the firmware setup again (using the Advanced Startup method).
- Navigate to the Boot or Security section.
- Set Secure Boot to Enabled.
- If you see a CSM (Compatibility Support Module) option, set it to Disabled.
- Save changes and exit.
After the restart, Windows loads with Secure Boot active. Go back to msinfo32 to confirm: Secure Boot State now reads On. This is your success cue.
The whole process requires no BIOS key — just Windows’ own recovery environment and a few settings changes. For more detail on the UEFI firmware access path, see Microsoft’s official documentation.
Final Checklist: Enabling Secure Boot the Right Way
- Check BIOS Mode in msinfo32 — must be UEFI.
- If Legacy, check disk partition style. If MBR, run the mbr2gpt conversion.
- Shut down and enter firmware via Advanced Startup (Settings > Recovery > Restart now).
- Set boot mode to UEFI and disable CSM.
- Enable Secure Boot in the appropriate tab.
- Save, exit, and verify with msinfo32 that Secure Boot State is On.
References & Sources
- Microsoft. “Can I turn on Secure Boot without going to BIOS?” Official Microsoft documentation describing the Advanced Startup method and UEFI firmware settings.
- EA Help. “Enable Secure Boot for Windows 10” Provides steps for checking partition style and converting MBR to GPT using mbr2gpt.