Enabling Secure Boot on Windows 11 requires changing a setting in your PC’s UEFI/BIOS firmware, accessible through the Windows Recovery Environment.
A game crashes on launch with a Secure Boot error, or the Windows 11 installer refuses to move forward until the feature is turned on. That UEFI-protected switch is the last gatekeeper, and reaching it takes a specific reboot sequence — not a toggle buried in the Settings app. Here is the exact path to find it, turn it on, and confirm it worked.
What Is Secure Boot And Why Does It Matter?
Secure Boot is a security standard that stops unauthorized operating systems or low-level malware from loading during startup. Windows 11 requires it as a baseline security measure, and a growing number of anti-cheat systems — including EA’s and Riot’s Vanguard — will block games if Secure Boot is disabled. The feature only works when your system is in UEFI mode with a GPT disk and TPM 2.0 enabled.
How Do You Actually Enable Secure Boot?
You enable Secure Boot through the PC’s firmware interface, which you enter via the Windows Recovery Environment. The whole process takes about two minutes and does not require reinstalling the operating system.
- Open Start > Settings (the gear icon) > System > Recovery.
- Under Advanced startup, click the blue Restart now button.
- Wait for the blue recovery menu. Click Troubleshoot > Advanced options > UEFI Firmware Settings > Restart.
- In the firmware interface, locate Secure Boot — it is usually under Boot, Security, or Authentication.
- Set Secure Boot to Enabled.
- Save changes and exit. The PC reboots straight into Windows 11.
Full vendor-neutral guidance is available in Microsoft’s official Secure Boot documentation.
The Two Critical Gates Before You Flip The Switch
Secure Boot will not turn on if the firmware is still in Legacy or CSM mode. You must switch to UEFI first, and the order of operations matters.
In the firmware interface, find the Boot menu. If Boot Mode or Boot List Option is set to Legacy or CSM, change it to UEFI. Some systems list both options — make sure UEFI is the first or only choice. If the option is grayed out, disable CSM Support first, then switch to UEFI. Save the boot mode change before attempting to enable Secure Boot. The order is: disable CSM, switch to UEFI, then enable Secure Boot.
Warning: Changing the boot mode can prevent Windows from starting if it is installed on an older MBR disk. If Windows fails to boot after the change, go back to the firmware, temporarily disable Secure Boot, and use the mbr2gpt tool to convert the disk to GPT before trying again.
What To Do If The “Secure Boot” Option Is Missing
If Secure Boot does not appear as a setting or stays grayed out, the cause is usually one of these three things:
- Legacy mode is still active. Double check the Boot Mode setting and ensure CSM is fully disabled. The Secure Boot menu is hidden on most systems when the firmware is in Legacy mode.
- Secure Boot keys are corrupted or cleared. Look for a Secure Boot Custom or Key Management submenu. Choose Reset Secure Boot keys or Reset to factory defaults instead of the Clear option. Resetting the key database restores the certificates Secure Boot needs to run.
- TPM 2.0 is turned off. EA’s support page explicitly lists TPM 2.0 as a separate requirement alongside Secure Boot. Find PTT (Intel) or AMD fTPM in the firmware and set it to Enabled.
Verifying Secure Boot Is Enabled
Before closing the firmware menu, save and exit. Once Windows loads, verify that Secure Boot is active using the system information tool.
| Verification Item | How To Check It | Expected Setting |
|---|---|---|
| System Boot Mode | Run msinfo32 and find BIOS Mode |
UEFI |
| Secure Boot State | Run msinfo32 and find Secure Boot State |
On |
| TPM 2.0 Status | Run tpm.msc and check the Status field |
The TPM is ready for use |
| Disk Partition Style | Right-click Start > Disk Management > Right-click Disk 0 > Properties > Volumes | GUID Partition Table (GPT) |
| CSM / Legacy Boot | Check under Boot settings in the firmware | Disabled |
| Boot List Option | Check under Boot settings in the firmware | UEFI |
| Secure Boot Key Status | Check the Secure Boot Custom or Key Management menu | Standard or Factory Default |
Finding The Setting On Major PC Brands
The name of the Secure Boot setting is consistent across manufacturers, but the menu it lives under and the key you press to enter BIOS vary. Use this quick reference for common brands.
| PC Brand | BIOS Key (At Logo Screen) | Typical Menu Location |
|---|---|---|
| Dell | F2 | Boot > Secure Boot or Security |
| HP | Esc then F10 | Security > Secure Boot or System Configuration |
| Lenovo | F1 or F2 | Security > Secure Boot |
| ASUS | F2 or Del | Boot > Secure Boot or Security |
| Acer | F2 | Boot > Secure Boot or Authentication |
These are the default keys for entering the firmware menu. If your PC bypasses the logo screen or uses a fast boot, hold the key immediately after pressing the power button.
The Complete Enable Sequence
Follow this exact order to enable Secure Boot and leave the firmware without causing a boot failure:
- Restart into the Windows Recovery Environment: Settings > System > Recovery > Restart now.
- Navigate to UEFI Firmware Settings: Troubleshoot > Advanced options > UEFI Firmware Settings > Restart.
- Switch to UEFI mode: Disable CSM / Legacy and set Boot List to UEFI.
- Enable Secure Boot: Find it under Boot, Security, or Authentication and set it to Enabled.
- Save changes and exit the firmware.
- Confirm in Windows: Open
msinfo32and verify BIOS Mode is UEFI and Secure Boot State is On.
References & Sources
- Microsoft Support. “Windows 11 and Secure Boot.” Official vendor-neutral steps for enabling Secure Boot via the UEFI firmware settings.
- Dell Support. “How to Enable Secure Boot on Dell Devices for Windows 11.” Covers brand-specific BIOS paths and verifying the setting with msinfo32.
- EA Help. “How do I use Secure Boot on my PC?” Details the combined requirements of UEFI, TPM 2.0, and GPT alongside Secure Boot.