Enabling the Secure Boot state requires switching your PC to UEFI mode and turning on the setting in firmware, a process that varies slightly by computer brand.
Windows 11 won’t install without Secure Boot enabled, and a PC that slips back to Legacy mode can leave you locked out of updates. The state itself lives in the motherboard’s firmware, which is why changing it feels more technical than a typical toggle. Here’s the direct route to enabling it, whether you need it for an OS requirement or just to tighten boot security.
What Secure Boot Actually Requires
Secure Boot only works when your system is running in UEFI mode rather than the older Legacy/CSM compatibility mode. If CSM is switched on, the Secure Boot setting is either hidden or grayed out no matter where you look in the BIOS. Before you can flip the switch, you must confirm the machine is booting in UEFI. Microsoft lists UEFI firmware with Secure Boot capability among the minimum system requirements for Windows 11, so any modern PC should support it.
Enable Secure Boot Through Windows 11 Advanced Startup
This is the most straightforward path for Windows users because it bypasses the countdown-timer race of tapping a key at boot. Here is how to reach the UEFI firmware settings and enable Secure Boot:
- Open Settings > System > Recovery.
- Under Advanced startup, click Restart now. The system reboots into a blue recovery menu.
- Select Troubleshoot > Advanced options > UEFI Firmware Settings > Restart.
- Inside the firmware interface, locate the boot settings. The option may be under Security, Boot, or Authentication depending on the manufacturer.
- Set Secure Boot to Enabled. On ASUS boards this is labeled Secure Boot Control.
- If a Legacy/CSM option is present, set it to Disabled or UEFI only.
- Press F10 or select Save and Exit. The PC restarts with Secure Boot active.
Once you are back in Windows, open the Run dialog (Win + R), type msinfo32, and check that BIOS Mode reads UEFI and Secure Boot State reads On.
Brand-Specific Steps (Dell, ASUS, and Others)
If you cannot reach the firmware through Windows—or you prefer the classic key-tap method—restart the machine and press the correct key repeatedly as soon as the logo appears.
Dell: Tap F2 at the Dell logo. Under the Boot tab, change Boot List from Legacy to UEFI if needed. Then set Secure Boot to Enabled and click Apply or Save and Exit.
ASUS: Tap F2 or Del during startup. Head to the Secure Boot page. Set Secure Boot Control to [Enabled] and verify that a key is present under Key Management—ASUS marks the state as User when a key is loaded.
The table below lists the most common access keys across popular brands.
| Brand | Firmware Access Key | Notes |
|---|---|---|
| Dell | F2 | Tap repeatedly at the Dell logo |
| ASUS | F2 or Del | F2 for most laptops; Del for some desktop boards |
| HP | F10 or Esc | Esc brings up boot menu, F10 enters BIOS |
| Lenovo | F1 or F2 | F2 for most models; F1 for some ThinkPads |
| Acer | F2 | Del for older or desktop models |
| Microsoft Surface | Volume Down + Power | Hold Volume Down, then press Power |
How to Verify Secure Boot Is Working
A quick check in Windows confirms whether the setting actually stuck. Open the System Information tool by running msinfo32. Look for the two relevant fields under the System Summary:
- BIOS Mode: Must read UEFI. If it says Legacy, CSM is still active and Secure Boot is not engaged.
- Secure Boot State: Must read On. If it reads Off or Unsupported, revisit the firmware settings.
Dell’s support documentation confirms Secure Boot is enabled when both conditions are met. A value of Setup Mode or User Mode under Secure Boot State usually indicates whether factory keys have been loaded—User is the goal.
Troubleshooting Secure Boot Enablement
If the setting seems correct but the state isn’t changing, one of these common blockers is usually the culprit. Here’s a quick reference to resolve them.
| Symptom | Likely Cause | Fix |
|---|---|---|
| Setting is grayed out | Legacy/CSM mode is active | Disable CSM under the Boot or Startup tab |
| PC fails to boot after enabling | Incompatible hardware or unsigned driver | Revert Secure Boot to Disabled, then uninstall incompatible software before retrying |
| Secure Boot State shows Off | Factory keys not installed | Load Secure Boot factory defaults under Key Management in the firmware |
| Secure Boot page is invisible | CSM is hiding firmware options | Disable CSM first; the Secure Boot tab usually appears immediately |
One important detail: the Secure Boot toggle itself cannot be changed from inside the Windows OS. It is purely a firmware-level switch, so all methods lead through the BIOS or UEFI setup screen.
Before You Close the BIOS, Run Through This Short Checklist
Walk through these four items before saving and exiting to make sure the change holds on the next boot:
- Boot mode is set to UEFI (not Legacy/CSM).
- Secure Boot is set to Enabled.
- Factory Secure Boot keys are loaded (Key Management state is User or Loaded).
- Changes are saved before exiting.
After restart, run msinfo32 to confirm BIOS Mode is UEFI and Secure Boot State is On. If the system fails to boot, power off, power back on, and tap the appropriate key to re-enter firmware setup and restore defaults. The complete official documentation for the Windows 11 baseline is available through Microsoft’s official Windows 11 requirements.
References & Sources
- Microsoft. “Windows 11 and Secure Boot.” Official guide for Windows 11 UEFI and Secure Boot requirements.