To enable UEFI Secure Boot in Windows 11, enter the UEFI firmware settings via Windows Recovery, disable CSM, and turn the Secure Boot setting to Enabled.
Windows 11 enforces Secure Boot by default on new PCs, but upgrading or reinstalling can leave this security layer switched off. How to enable UEFI Secure Boot on Windows 11 starts with checking two system prerequisites: the firmware must be set to UEFI, and the system drive must use the GPT partition table. Without those two pieces in place, the Secure Boot option stays hidden or grayed out.
Below is the exact step sequence and the fixes for the most common roadblocks, drawn from the official Microsoft documentation and major OEM support guides.
Is Your PC Ready for UEFI Secure Boot?
A Windows 11 PC needs UEFI firmware and a GPT-formatted drive before Secure Boot can be turned on. The System Information utility shows both details instantly.
Open the Start menu, type msinfo32, and press Enter. Look for two rows:
- BIOS Mode: must say UEFI. If it says Legacy, the motherboard is currently running in compatibility mode.
- Secure Boot State: says Off if Secure Boot is available but not active.
If the disk uses the MBR partition table, it must be converted to GPT before Secure Boot can function. Windows 11 includes the mbr2gpt tool to handle this conversion without reinstalling the OS, though a full backup is strongly recommended before proceeding.
How to Enable UEFI Secure Boot Windows 11: The Step Order That Works
Every modern PC boots into the operating system through a firmware layer. Enabling Secure Boot requires changing settings inside that layer. The most reliable route is through Windows itself.
- Go to Settings > System > Recovery. Under Advanced startup, click Restart now.
- On the blue recovery screen, select Troubleshoot > Advanced options > UEFI Firmware Settings > Restart.
- Once inside the BIOS or UEFI interface, locate the Boot tab.
- Find Compatibility Support Module (CSM) or Launch CSM and set it to Disabled. This forces the system into native UEFI mode.
- Look for Boot List Option. If it is set to Legacy, change it to UEFI.
- Navigate to the Security or Boot tab. Find Secure Boot and set it to Enabled.
- If the Secure Boot Mode is set to Custom, open the Key Management sub-menu and select Install Default Secure Boot Keys.
- Press F10 or the manufacturer-specific save key and confirm to save changes and exit.
BIOS Access and Navigation Quick Reference
Key presses and tab labels vary by manufacturer. The table below covers the most common setups.
| Manufacturer | BIOS Key | Common Tab for Secure Boot |
|---|---|---|
| Dell | F2 | Boot / Security |
| HP | F10 | Security / System Configuration |
| ASUS | F2 / Delete | Boot / Security |
| Lenovo | F1 / F2 | Security |
| Acer | F2 / Delete | Boot / Security |
| Microsoft Surface | Volume Down + Power | Boot Configuration |
| Gigabyte | Delete | BIOS / Security |
What If Windows 11 Won’t Boot After Enabling Secure Boot?
A boot failure after enabling Secure Boot usually points to a legacy setup that was not fully migrated. The system is enforcing a security policy that contradicts the existing configuration.
Boot loop or black screen: Power off the PC completely. Re-enter the BIOS. Verify CSM is disabled and the Boot List Option is set to UEFI. If the OS was installed in Legacy mode on an MBR drive, the system cannot start in UEFI mode until the disk is converted.
Disk conversion: Boot into the Windows Recovery Environment. Select Troubleshoot > Command Prompt. Run mbr2gpt /convert and follow the prompts. This tool rewrites the partition table without touching the user data, making the drive compatible with UEFI firmware. Microsoft’s official documentation on Windows 11 and Secure Boot explains the full compatibility requirements.
Administrator password lock: Some manufacturers (HP, Lenovo) hide the Secure Boot toggle until a user-set BIOS password is created. Enter the BIOS, navigate to the Security tab, set an Administrator Password, save and exit, then re-enter the BIOS. The Secure Boot option will be available.
Why UEFI and GPT Matter for Secure Boot
Secure Boot works by checking cryptographic signatures against the firmware’s database. Legacy boot modes do not support this signature check. The table below summarizes the differences between the two partition tables and their roles in Secure Boot.
| Feature | MBR (Legacy) | GPT (UEFI) |
|---|---|---|
| Secure Boot Ready | No | Yes |
| Partition Limit | 4 | 128 |
| Max Disk Size | 2TB | 9.4ZB |
| Windows 11 Required? | No | Yes |
Verifying UEFI Secure Boot Is Active
If the system boots normally after the changes, the only remaining task is confirming the setting took effect.
Open System Information (msinfo32) again. Confirm both values:
- BIOS Mode: UEFI
- Secure Boot State: On
These two entries confirm the PC is running in native UEFI mode with Secure Boot actively protecting the boot chain. The system now meets Microsoft’s full Windows 11 hardware security baseline.
References & Sources
- Microsoft. “Windows 11 and Secure Boot” Official procedure and requirements for Secure Boot.
- Dell. “How to Enable Secure Boot on Your Dell Device” Vendor-specific steps and troubleshooting.
- CBT Nuggets. “How to Enable Secure Boot Windows” Third-party breakdown of BIOS settings and CSM.