Secure Boot can only be enabled through UEFI firmware settings, but you can reach that setup from Windows without tapping a BIOS hotkey.
Secure Boot cannot be turned on from inside Windows alone — it requires a visit to your system’s UEFI firmware screen. The direct method for how to enable Secure Boot without BIOS involves using Windows’ own Advanced startup menu to reboot straight into those firmware settings, where the actual toggle lives. No timing a keypress during boot, no hunting for the right vendor hotkey. The whole process from desktop to enabled Secure Boot takes about two minutes once the prerequisites are handled.
What “Without BIOS” Actually Means For Secure Boot
The phrase trips up a lot of searches. “BIOS” in this context usually refers to the firmware setup interface — the screen you see when you press F2, Del, or F10 during startup. On modern PCs that interface is UEFI firmware, not the old legacy BIOS, but most people still call it “the BIOS.” Enabling Secure Boot without entering that firmware screen at all is not possible — the setting physically lives there. What is possible is launching that firmware screen from inside Windows, which is what the “without BIOS” method actually means: no need to catch a hotkey during the boot sequence.
How To Check Your Current Secure Boot Status First
Before changing anything, find out where your system currently stands. The fastest check uses a built-in Windows tool:
- Press Windows key + R, type msinfo32, and hit Enter.
- Look for two rows: BIOS Mode and Secure Boot State.
- If BIOS Mode says Legacy or CSM, or Secure Boot State says Unsupported or Off, the steps below apply directly.
A screenshot of this screen saves a lot of guessing — write down what you see under both fields before making any changes.
Prerequisites Before You Enter Firmware Settings
Secure Boot will not stay enabled unless three conditions are met first. Skipping any of these is the most common reason it seems to work in firmware but reverts after reboot.
| Prerequisite | Why It Matters | How To Fix |
|---|---|---|
| System disk uses GPT, not MBR | Secure Boot requires the GPT partition layout; MBR disks will fail or revert | Use mbr2gpt /convert /allowfullOS in an admin Command Prompt — it is safe and preserves data |
| CSM / Legacy boot is disabled | Compatibility Support Module overrides UEFI boot, preventing Secure Boot from engaging | In firmware settings, set CSM to Disabled or UEFI Only |
| Windows is installed in UEFI mode | A system installed in Legacy mode cannot boot with Secure Boot enforced | Check msinfo32 — if BIOS Mode says UEFI, you are set; if it says Legacy, a reinstall in UEFI mode is needed |
| Windows Boot Manager is the first boot entry | Some firmware lists other drives first, which can cause Secure Boot to fail its self-check | In firmware boot order, move Windows Boot Manager to the top |
| Firmware is updated to a recent version | Old UEFI firmware can lack full Secure Boot support or contain bugs | Check your motherboard vendor’s support page for the latest BIOS/UEFI version |
| TPM 2.0 is enabled (for Windows 11) | Windows 11 requires both Secure Boot and TPM 2.0 together | In firmware, look under Security or Trusted Computing for TPM settings |
How Do You Reach UEFI Firmware Settings From Windows?
This is the core move — the “without BIOS” path. Windows can tell the motherboard to boot directly into firmware settings on the next restart, bypassing the need for a hotkey. The route is the same on every modern version of Windows 10 and Windows 11.
- Open Settings > Update & Security > Recovery (on Windows 11: Settings > System > Recovery).
- Under Advanced startup, click Restart now.
- The system reboots into a blue menu. Click Troubleshoot.
- Click Advanced options.
- Click UEFI Firmware Settings.
- Click Restart.
The machine reboots one more time and lands directly inside the firmware setup interface — no BIOS key needed. This works on any PC whose motherboard supports UEFI, which covers essentially every Windows machine built since 2012.
Enabling Secure Boot Without BIOS: The Step Order That Works
Once you are inside the firmware menu, the exact setting names vary by motherboard vendor, but the logic is identical. Here is the sequence that works across most systems:
- Find the Boot tab or section.
- Set Boot Mode or Boot Type to UEFI (not Legacy or CSM).
- Find Secure Boot — it is usually under the Security, Boot, or Authentication tab.
- Set Secure Boot to Enabled or On.
- On ASUS systems specifically, press F7 for Advanced Mode, then navigate Security > Secure Boot, set Secure Boot Control to Enabled, and set OS Type to Windows UEFI Mode.
- If the Secure Boot keys are missing or corrupted, look for Install Default Secure Boot Keys and run that option first.
- Press F10 or select Save Changes & Reset.
The system reboots. If all prerequisites were met, Secure Boot is now active.
Why Secure Boot Might Not Stay Enabled
The most frustrating outcome is flipping the toggle, saving, rebooting, and finding Secure Boot back to Off. This almost always traces back to one of the prerequisites that was missed. The three repeat offenders are an MBR system disk, CSM still enabled, and Windows installed in Legacy mode. A fourth cause is missing or invalid Secure Boot keys in the firmware — running Install Default Secure Boot Keys usually clears that.
On some Dell and HP systems, the firmware hides Secure Boot behind a “supervisor password” setting. If you see the menu option grayed out, set an admin password in the firmware first, then revisit the Secure Boot setting.
How To Verify Secure Boot Is Working
After the reboot, run msinfo32 again. Confirm that Secure Boot State now reads On. If it still reads Off, go through the prerequisite table above and check each row — one of them is the blocker.
| Problem | Likely Cause | Fix |
|---|---|---|
| Secure Boot flips back to Off after reboot | CSM is still enabled, or the disk is MBR | Disable CSM in firmware; convert the disk to GPT using mbr2gpt |
| System boots to a black screen after enabling Secure Boot | Windows is installed in Legacy mode on a GPT disk, or the boot loader is not UEFI-compatible | Reinstall Windows in UEFI mode, or restore firmware defaults and reconfigure |
| Secure Boot option is grayed out in firmware | Firmware requires an admin password, or the system is in CSM mode | Set an admin/supervisor password in firmware, then disable CSM |
| UEFI Firmware Settings option is missing from Advanced startup | Windows is booting in Legacy/BIOS mode, or the motherboard lacks UEFI | Check msinfo32 for BIOS Mode; if Legacy, the motherboard may not support UEFI — upgrading hardware may be required |
| Secure Boot shows On but Windows 11 still fails the system check | TPM 2.0 is disabled or not detected | Enable TPM 2.0 in firmware under the Security or Trusted Computing section |
Secure Boot Enable Sequence
Here is the complete sequence from a running Windows desktop to confirmed Secure Boot, compressed into one actionable list:
Check current state with msinfo32 → confirm the disk is GPT (convert with mbr2gpt if needed) → go to Settings > Recovery > Advanced startup > Restart now → Troubleshoot > Advanced options > UEFI Firmware Settings > Restart → in firmware, disable CSM, set boot mode to UEFI, enable Secure Boot, install default keys if available → Save Changes & Reset → verify with msinfo32 that Secure Boot State reads On. If the setting does not hold, the checklist in the prerequisite table identifies the specific blocker.
References & Sources
- EA Help. “How to enable Secure Boot for PCs.” Step-by-step flow for checking Secure Boot state, converting to GPT, and reaching UEFI firmware settings from Windows.
- Microsoft Learn. “Can I turn on Secure Boot without going to BIOS?” Microsoft engineer confirms Secure Boot must be enabled in UEFI setup and cannot be turned on from inside Windows.
- ASUS USA Support. “How to enable or disable Secure Boot.” Vendor-specific firmware paths for enabling Secure Boot on ASUS motherboards.