Secure Boot is enabled inside your PC’s UEFI firmware, typically by switching from Legacy/CSM mode and turning on the Secure Boot control.
Secure Boot is the gatekeeper of your Windows PC’s boot process. It checks every driver and OS loader against a database of trusted signatures before letting it run, stopping rootkits and boot-level malware cold. The quickest way to enable Secure Boot is through the UEFI firmware settings, accessible directly from your Windows Recovery environment. The exact menu names differ between motherboard brands, but the core process is the same across all modern systems.
What You Need Before Enabling Secure Boot
Secure Boot doesn’t work in isolation. On most modern systems, especially those running Windows 11, three hardware and firmware conditions must be met first. The NSA specifically advises against using Legacy BIOS or CSM Compatibility Mode, as these bypass Secure Boot entirely. Before you start, verify these prerequisites:
| Prerequisite | Why It Matters | How to Check |
|---|---|---|
| UEFI BIOS Mode | Legacy/CSM mode does not support Secure Boot. | Check your BIOS main menu for “Boot Mode” or “UEFI/Legacy” setting. |
| TPM 2.0 | Required for Windows 11 and full Secure Boot integrity validation. | Press Win+R, type tpm.msc, and check the version listed in the status pane. |
| GPT Disk Partitioning | MBR disks are not compatible with Secure Boot on Windows. | Open Disk Management, right-click the system disk, and select Properties > Volumes to see the partition style. |
| Default Secure Boot Keys | Missing or corrupt signature databases can prevent Secure Boot from turning on. | Navigate to “Key Management” in your firmware; look for “Install Default Secure Boot Keys” as an option. |
The Standard Path Through Windows
The cleanest route is to let Windows hand you off directly to the UEFI firmware menu. This method works on every PC that ships with Windows 8 or later and is the version-stable path Microsoft recommends. The exact procedure is documented on the Windows 11 and Secure Boot support page.
- Open Settings > System > Recovery.
- Click Restart now under Advanced startup.
- On the blue screen, select Troubleshoot > Advanced options > UEFI Firmware Settings.
- Click Restart. The system boots directly into the firmware interface.
- Inside the firmware, locate the Security or Boot tab.
- Set Secure Boot or Secure Boot Control to Enabled.
- If an OS Type option appears, set it to Windows UEFI Mode.
- Press F10 to save changes and exit.
Enabling Secure Boot on Specific Motherboards
Firmware menus vary significantly by manufacturer. Here is how it looks on a common brand.
ASUS. Enter the BIOS by pressing F2 or Del. Press F7 for Advanced Mode. Go to Security > Secure Boot. Set Secure Boot Control to Enabled. If the toggle is grayed out, head to Key Management, select Install Default Secure Boot Keys, confirm, and then enable it. Press F10 to save and exit.
ASRock. Enter the BIOS, go to the Security tab, and select Secure Boot. Change the setting to Enabled. ASRock notes that this option is often hidden until CSM is fully disabled in the Boot tab. On older models, you may need to set Secure Boot Mode to Custom first, then switch it to Standard after installing the keys.
Common Issues and How to Fix Them
Secure Boot usually enables without a hitch if the prerequisites are met. When it doesn’t, it is almost always one of these four roadblocks. The NSA warns that Standard Mode with TPM support offers the best balance for workstations, but Custom Mode can leave an early-boot blind spot if keys are not managed correctly.
| Issue | Most Likely Cause | The Fix |
|---|---|---|
| Toggle is grayed out | CSM (Compatibility Support Module) is still enabled. | In the firmware Boot tab, set CSM to Disabled, save and reboot, then return to the Security tab. |
| Windows won’t boot after enabling | Corrupt or missing Secure Boot keys. | In firmware Key Management, select Reset to Setup Mode, then Install Default Secure Boot Keys. |
| TPM is missing or disabled | TPM 2.0 is turned off in the firmware. | Find the TPM/PTT/fTPM setting (usually under Advanced or Security) and set it to Enabled. |
| Disk is MBR, game won’t load | Secure Boot requires GPT partitioning. | Use the mbr2gpt.exe /convert tool from an Admin Command Prompt to convert without data loss. |
Checklist for a Successful Secure Boot Setup
Once you have made the changes, boot back into Windows. To confirm Secure Boot is active, open System Information (msinfo32.exe) and check the Secure Boot State line. It should read On. If you are a PC gamer, EA Help also recommends confirming that the OS Type in your firmware is set to Windows UEFI Mode and that the disk is GPT, as online anti-cheat systems can reject systems missing any of these components. Run through this quick final check:
- Boot mode set to UEFI (Legacy/CSM disabled).
- TPM 2.0 enabled and functional.
- System disk converted to GPT.
- Default Secure Boot keys installed in the firmware.
- Secure Boot set to Enabled under the Security or Boot tab.
Once all five items are checked, your system is locked down from the first power-on. You will still be able to run Windows 11 and compatible Linux distributions, but unsigned bootloaders and low-level malware will be blocked before they can execute.
References & Sources
- Microsoft. “Windows 11 and Secure Boot.” Official step-by-step guide for enabling Secure Boot on Windows 11 PCs.
- ASUS USA. “How to enable Secure Boot in the BIOS.” Support article covering ASUS firmware menus and key management.
- EA Help. “How to enable Secure Boot.” Gaming-focused guide covering TPM, GPT, and UEFI prerequisites.
- NSA Cybersecurity. “Boot Security Modes and Recommendations.” Official NSA guidance on UEFI Secure Boot modes and legacy compatibility risks.