Enabling Secure Boot on a PC requires entering the UEFI firmware settings, switching from Legacy to UEFI mode, and activating the Secure Boot toggle inside the BIOS configuration menu.
The steps for how to enable Secure Boot on PC depend on your motherboard brand, but the core process is the same across all modern systems. You enter the UEFI firmware through the Windows Recovery Environment, disable legacy compatibility mode, and flip the Secure Boot switch. Microsoft requires Secure Boot and a UEFI-compatible setup for Windows 11, which means nearly every PC built in the last five years supports it—the setting is just turned off by default.
What Is Secure Boot And Why Does It Need UEFI?
Secure Boot is a UEFI firmware feature that prevents unauthorized code from loading during the startup process. It checks that every piece of boot software has a valid digital signature before letting it run. This blocks rootkits and low-level malware from hijacking the boot sequence before the operating system has a chance to load.
The feature requires UEFI boot mode because the legacy BIOS standard lacks the secure key storage and verification system Secure Boot depends on. If your motherboard is still set to Legacy or CSM (Compatibility Support Module) mode, Secure Boot will be grayed out or missing from the firmware menus entirely.
How To Enable Secure Boot On PC: The Standard Path
Microsoft provides the official documented route through the Windows Recovery Environment. This method works on any PC that supports UEFI and works regardless of whether you can still boot into Windows normally.
- Open Settings > System > Recovery.
- Under Advanced startup, click Restart now.
- After the PC reboots into the blue recovery screen, select Troubleshoot > Advanced options > UEFI Firmware Settings > Restart.
- Inside the UEFI BIOS menu, locate the Secure Boot option. It is usually listed under the Boot, Security, or Windows OS Configuration tab.
- Change the Boot Mode from Legacy or CSM to UEFI if it is not already set to UEFI.
- Set Secure Boot to Enabled.
- Press F10 or select Save and Exit to apply the changes and reboot.
Microsoft’s official support pages confirm that if both UEFI and Legacy/CSM boot modes are available, UEFI must be the first or only option selected. Leaving CSM enabled will cause the Secure Boot setting to revert to off after the next restart.
Common Firmware Menu Locations By Brand
While the logic is the same, the exact menu names and keyboard shortcuts vary by motherboard manufacturer. The table below lists the most common keys and menu paths for major brands.
| Brand | BIOS Key | Standard Menu Path |
|---|---|---|
| ASUS | F2 or Del | Advanced Mode (F7) > Security > Secure Boot |
| Dell | F2 at logo | Boot > Secure Boot > Enabled |
| HP | F10 or Esc | Security > Secure Boot Configuration |
| Lenovo | F1 or F2 | Security > Secure Boot |
| MSI | Del | Settings > Security > Secure Boot |
| ASRock | F2 or Del | Security > Secure Boot |
| Gigabyte | Del | Boot > Secure Boot |
| Surface (Microsoft) | Vol Up + Power | UEFI > Security |
If you cannot find the setting under these exact names, look for terms like Secure Boot Control, OS Type (set to Windows UEFI mode), or Security Device Support. Microsoft’s official guidance on Secure Boot notes that firmware labels vary by motherboard manufacturer and may appear in unexpected locations.
How To Check If Secure Boot Is Enabled In Windows
Open the System Information tool by pressing Windows + R, typing msinfo32, and pressing Enter. Look for two lines in the System Summary:
- BIOS Mode: This must say UEFI.
- Secure Boot State: This must say On.
If BIOS Mode reads Legacy, Secure Boot is unavailable. If Secure Boot State reads Off or Unsupported, the feature is disabled or your hardware does not support it.
What Does It Mean If Secure Boot Keeps Turning Off?
If you enable Secure Boot, save the settings, and reboot only to find it switched back to off, the firmware is likely in Setup Mode. This happens when the factory Secure Boot keys have not been loaded or have been cleared.
To fix this, re-enter the BIOS and look for a setting called Restore Factory Keys, Install Default Secure Boot Keys, or Change to User Mode. This option is usually located in the Security tab under Key Management. Selecting it loads the Microsoft-approved signing keys and locks the Secure Boot policy so the operating system can verify bootloaders. After restoring the keys, Save and Exit, then check the status in Windows again.
What Happens If The PC Won’t Boot After Enabling Secure Boot?
A black screen or boot loop after enabling Secure Boot usually points to one of two issues: an MBR-partitioned disk or incompatible hardware. Secure Boot requires a GPT (GUID Partition Table) disk, while older Windows installations on MBR (Master Boot Record) disks will fail to boot under UEFI mode.
Boot back into the BIOS and disable Secure Boot to get into Windows. Then open an administrative PowerShell terminal and check your disk partition style:
- Right-click the Start menu and select Disk Management.
- Right-click your OS disk (usually C:), select Properties > Volumes, and check Partition style.
- If it says GUID Partition Table (GPT), no conversion is needed.
- If it says MBR, run the built-in conversion tool:
mbr2gpt /convert /disk:0 /allowfullOS - Once the conversion completes, restart, re-enter the BIOS, re-enable Secure Boot, and try again.
If the boot failure persists, a piece of hardware or an older operating system on the machine may be incompatible with Secure Boot. Microsoft recommends uninstalling or removing incompatible hardware or OS installations before enabling Secure Boot. You can always return to the BIOS and disable Secure Boot to restore normal booting while you resolve the compatibility problem.
Troubleshooting Common Secure Boot Issues
| Problem | Likely Cause | Quick Fix |
|---|---|---|
| Secure Boot option is missing | CSM or Legacy mode is enabled | Switch boot mode to UEFI only |
| Secure Boot toggle is grayed out | UEFI mode not active or no keys loaded | Restore factory Secure Boot keys in Security tab |
| PC loops to BIOS after enabling | Disk is MBR instead of GPT | Run mbr2gpt /convert in Windows |
| Secure Boot resets to Off after restart | Firmware stuck in Setup Mode | Install default Secure Boot keys |
| PC boots but Secure Boot shows Off | UEFI firmware corrupted or outdated | Update motherboard BIOS to latest version |
The sequence to enable Secure Boot is reliably the same: enter the UEFI firmware through the Windows Recovery menu or a startup key, disable CSM, enable Secure Boot, load the factory keys if needed, and save. A quick check in msinfo32 confirms whether the change took effect. Following this order avoids the most common boot failures and gets Secure Boot running in under five minutes.
References & Sources
- Microsoft. “Windows 11 and Secure Boot.” Official documentation covering the enablement process and UEFI requirements.
- Dell. “How to Enable Secure Boot on Your Dell Device.” Vendor-specific BIOS key and menu path for Dell systems.
- ASUS. “How to Enable Secure Boot.” Vendor-specific guidance for ASUS motherboard firmware.
- EA Help. “How to Enable Secure Boot.” Outlines MBR to GPT conversion steps and Secure Boot key management.