Secure Boot turns on after Windows 10 boots in UEFI mode; check BIOS Mode first, then enable Secure Boot in firmware.
A failed game launch, encryption warning, or Windows 11 readiness check often points to one task: how to enable secure boot on my PC Windows 10 without breaking the boot drive. Secure Boot is not a switch inside normal Windows settings. The switch lives in the UEFI firmware screen that appears before Windows loads.
Windows 10 needs two things lined up before Secure Boot will stay on: the PC must boot in UEFI mode, and the system disk should use GPT. If your PC already says UEFI, the job is usually a restart into firmware, one setting change, and a save.
How Do I Check Secure Boot Status First?
System Information tells you whether Secure Boot is already on and whether Windows 10 is using UEFI or Legacy BIOS. Check this screen before changing firmware, because switching a Legacy install straight to UEFI can stop Windows from starting.
- Press Start, type
msinfo32, and press Enter. - Select System Summary in the left panel.
- Find BIOS Mode. UEFI means the PC is using the newer firmware mode. Legacy means Secure Boot cannot be turned on yet.
- Find Secure Boot State. On means you are done. Off means the firmware setting is available but disabled. Unsupported usually means Legacy mode, missing firmware support, or CSM is active.
Leave System Information open or write down both values. Those two lines decide which section you should follow next.
Turn On Secure Boot In Windows 10 Firmware
Secure Boot can be enabled from the UEFI firmware menu when BIOS Mode already says UEFI. The exact screen name varies by motherboard, but the setting is usually under Boot, Security, or Authentication.
- Save open files. If BitLocker is active, make sure your recovery information is available before restarting.
- Open Settings > Update & Security > Recovery.
- Under Advanced startup, select Restart now.
- Choose Troubleshoot > Advanced options > UEFI Firmware Settings > Restart.
- In firmware, open the menu named Boot, Security, Secure Boot, or Authentication.
- Set Secure Boot to Enabled. If you see OS Type, choose Windows UEFI mode. If you see CSM or Legacy Boot, set it to Disabled only when Windows already boots in UEFI mode.
- Select Save & Exit, often shown as F10, then let Windows restart.
Windows should restart normally. Running msinfo32 again should show BIOS Mode: UEFI and Secure Boot State: On.
Secure Boot On Windows 10: Settings That Decide It
Secure Boot on Windows 10 depends more on firmware mode than on the Windows edition. Use this table to read the current state before you change anything.
| Item To Check | What You Want | What A Bad Value Means |
|---|---|---|
BIOS Mode in msinfo32 |
UEFI | Legacy blocks Secure Boot until the disk and firmware are changed. |
| Secure Boot State | On | Off means firmware allows it but the switch is disabled. |
| System disk partition style | GPT | MBR usually belongs to a Legacy install and needs conversion before UEFI boot. |
| CSM or Legacy Boot | Disabled | CSM can hide Secure Boot or make the menu appear grayed out. |
| OS Type | Windows UEFI mode | Other OS may leave Secure Boot off on some ASUS-style firmware. |
| Firmware password | Known by you | An unknown password can block changes in BIOS or UEFI settings. |
| BitLocker status | Recovery information ready | Firmware changes can trigger a recovery prompt on encrypted drives. |
| Firmware update age | Recent enough for your board | Very old firmware can show Secure Boot options badly or miss vendor fixes. |
What If Secure Boot Is Missing?
Secure Boot is missing or grayed out when the PC is not fully set to UEFI, the system disk is still MBR, or CSM is still active. Microsoft says firmware may need to move from Legacy BIOS or CSM mode to UEFI before Secure Boot can be enabled in Microsoft’s Secure Boot instructions.
Do not flip Legacy to UEFI Only until the Windows boot disk is ready. On many older Windows 10 installs, the safer sequence is to back up files, validate MBR2GPT, convert the system disk, switch firmware to UEFI, then enable Secure Boot.
- Open Start, type
cmd, right-click Command Prompt, and choose Run as administrator. - Run
mbr2gpt.exe /validate /allowFullOS. - If validation succeeds, run
mbr2gpt.exe /convert /allowFullOS. - Restart into firmware and change boot mode from Legacy or CSM to UEFI.
- After Windows starts, return to firmware and turn Secure Boot on.
A successful conversion creates the EFI system partition Windows needs for UEFI startup. If validation fails, stop there and fix the partition issue first instead of forcing the conversion.
Common Firmware Names For The Same Switch
Motherboard vendors label Secure Boot menus differently, so the value matters more than the page title. Match the label you see to the action below.
| Firmware Label | Choose This | Why It Matters |
|---|---|---|
| Secure Boot | Enabled | Turns on signed boot checks before Windows loads. |
| Boot Mode | UEFI or UEFI Only | Secure Boot works with UEFI, not Legacy BIOS boot. |
| CSM | Disabled | CSM is the compatibility layer that can block Secure Boot. |
| OS Type | Windows UEFI mode | Some boards expose Secure Boot only after this value is selected. |
| Secure Boot Mode | Standard | Standard loads the normal manufacturer databases for Windows. |
| Restore Factory Keys | Use only when databases are missing | This can repair a blank Secure Boot database, but it may affect non-Windows boot loaders. |
Make The Change Without Locking Yourself Out
The lowest-risk sequence is to prove the current boot mode first, then change only one firmware setting group at a time. A PC that already boots Windows 10 in UEFI mode can usually go straight to Secure Boot: Enabled.
- If BIOS Mode says UEFI, enable Secure Boot, save, restart, then confirm with
msinfo32. - If BIOS Mode says Legacy, back up files, validate MBR2GPT, convert only after validation passes, then switch firmware to UEFI.
- If Windows fails to boot after a firmware change, return to firmware and undo the last setting you changed. Boot mode and CSM are the usual cause.
- If Secure Boot State still says Off, check for OS Type, Secure Boot Mode, or Restore Factory Keys in firmware.
The final proof is simple: msinfo32 should show BIOS Mode: UEFI and Secure Boot State: On. Once those two lines match, Windows 10 is using Secure Boot at startup.
References & Sources
- Microsoft Support.“Windows 11 and Secure Boot.”Explains what Secure Boot does and how to reach UEFI firmware settings.
- Microsoft Learn.“MBR2GPT.EXE.”Documents Microsoft’s Windows 10 disk conversion tool and its validation and conversion options.