Secure Boot settings live in your PC’s UEFI/BIOS firmware menu, accessible through Windows Advanced startup or a boot key, not inside Windows itself.
Most people searching for how to enter Secure Boot have already opened every Windows settings panel they can find — and come up empty. The reason is straightforward: Secure Boot isn’t managed inside Windows at all. It lives in the UEFI/BIOS firmware menu, the low-level system interface your PC uses before the operating system loads. There are two reliable ways to reach that menu, and once you know both, the whole process takes about ten minutes.
How To Check If Secure Boot Is Already Enabled
Before changing anything in the firmware, confirm whether Secure Boot is already on. Open the Run dialog with Windows Key + R, type msinfo32, and press Enter. In the System Information window, check two entries:
- BIOS Mode — must read UEFI
- Secure Boot State — must read On
If both values are correct, Secure Boot is already active and no firmware changes are needed. If BIOS Mode shows Legacy, or Secure Boot State shows Off or Unsupported, you’ll need to enter the firmware settings and enable it.
Entering Secure Boot Settings: The Two Reliable Routes
Two methods get you into the firmware menu where Secure Boot lives. The Windows Advanced Startup path works on every PC and doesn’t require timing a key press. The boot key method is faster but requires hitting the right key at the right moment.
The Windows Advanced Startup Path
This is the most reliable method because it works regardless of how fast your PC boots. From Windows:
- Open Settings > System > Recovery
- Under Advanced startup, click Restart now
- After the PC reboots, click Troubleshoot
- Click Advanced options
- Click UEFI Firmware Settings
- Click Restart
The PC reboots directly into the firmware interface. From there, you can find Secure Boot and enable it.
The Manufacturer Boot Key Method
If you prefer to skip the Windows menus, tap a key repeatedly as the PC starts — before the Windows logo appears. The key varies by manufacturer:
| Manufacturer | Firmware Key | Notes |
|---|---|---|
| Dell | F2 | Tap repeatedly at the Dell logo |
| ASUS | F2 or Del | F2 for most laptops; Del for some desktop boards |
| HP | Esc then F10 | Tap Esc, choose BIOS, or tap F10 directly |
| Lenovo | F1 or F2 | ThinkPad typically uses F1; IdeaPad uses F2 |
| Acer | F2 or Del | F2 on most Acer laptops |
| MSI | Del | Common on MSI desktop motherboards |
| ASRock | F2 or Del | F2 on most ASRock boards |
Tap the key about twice per second from the moment you press the power button until the firmware screen loads. Miss the window? Let Windows boot, restart, and try again — or use the Windows Advanced Startup path instead.
What To Change In The Firmware To Enable Secure Boot
Once inside the firmware interface, the exact menu layout depends on your motherboard or PC brand. Secure Boot typically lives under one of these tabs:
- Boot
- Security
- Authentication
When you find the Secure Boot option, set it to Enabled. On many systems you may also need to:
- Set Boot Mode or Boot Type to UEFI (not Legacy or CSM)
- Disable CSM (Compatibility Support Module) if the option exists
- Save and exit — usually F10 or a Save & Exit option
The PC reboots after saving. If everything is set correctly, Secure Boot will be active on the next Windows start.
What If The Secure Boot Option Is Missing Or Greyed Out?
This is the most common problem when trying to enable Secure Boot. If the toggle is missing, greyed out, or won’t stay on, one of these is usually the cause:
- CSM or Legacy boot mode is still active. Switch to UEFI-only mode in the firmware, then check for Secure Boot again.
- The boot disk uses MBR instead of GPT. Windows 11 and Secure Boot both require GPT. Convert the disk or reinstall Windows in UEFI mode.
- Default Secure Boot keys are not installed. Some firmware requires you to install or restore factory Secure Boot keys before the toggle becomes available — look for an option labeled Install default Secure Boot keys or Reset to factory keys.
- The hardware doesn’t support Secure Boot. If none of the above helps and the option truly doesn’t exist, the system may be too old to run Windows 11 securely.
After making any of these changes, save and exit the firmware, then recheck the status from Windows.
Verifying Secure Boot Enabled Successfully
After the PC reboots into Windows, run msinfo32 again. Confirm that Secure Boot State now reads On. If it still shows Off or Unsupported, revisit the firmware settings — especially the CSM/Legacy disable and the boot mode selection.
| Problem | Likely Cause | Quick Fix |
|---|---|---|
| Secure Boot toggle is greyed out | CSM or Legacy mode is still enabled | Disable CSM, switch to UEFI-only, then retry |
| Secure Boot option doesn’t appear | Boot mode is set to Legacy/CSM | Change boot mode to UEFI |
| Toggle won’t stay On after saving | Default Secure Boot keys missing | Install or restore factory Secure Boot keys in firmware |
| msinfo32 shows “Unsupported” | Hardware lacks Secure Boot support | No fix available — the system can’t run Windows 11 securely |
| Windows won’t boot after enabling | OS installed in Legacy mode on an MBR disk | Convert disk to GPT or reinstall Windows in UEFI mode |
The whole process — entering Secure Boot settings, enabling the feature, and verifying it — takes about ten minutes once you know where to look. The Windows Advanced Startup path is the safest route for anyone unsure of their system’s boot key, and the msinfo32 check at both ends tells you whether it actually worked.
References & Sources
- Microsoft Support. “Windows 11 and Secure Boot” Official Microsoft guidance on checking and enabling Secure Boot via Windows Advanced Startup.