How To Turn On Secure Boot Windows 11

Tips
1

I’m trying to enable Secure Boot on my Windows 11 PC so I can meet the security requirements for some apps and future updates, but I’m confused by the BIOS/UEFI settings and don’t want to break anything. Can someone explain step by step how to safely turn on Secure Boot, and what to check first so I don’t lock myself out of Windows?

2

Short version. You need UEFI, GPT, and Secure Boot set to “Standard” or “Windows” in firmware. Here is how without wrecking stuff.

  1. Check if Secure Boot is already possible

    1. Press Win + R
    2. Type msinfo32 and hit Enter
    3. Look for:
      • BIOS Mode
      • Secure Boot State
      • Secure Boot Available

    You want:

    • BIOS Mode: UEFI
    • Secure Boot State: Off
    • Secure Boot Available: Yes

    If BIOS Mode shows Legacy, you first need UEFI and GPT.

  2. Check disk partition style

    1. Right click Start, pick Disk Management
    2. Right click your system drive, choose Properties
    3. Go to Volumes
    4. Look at “Partition style”
    • If it says GPT, you are good.
    • If it says MBR, you need to convert.

  3. Convert MBR to GPT without wiping (Windows tool)
    Do this only if you have a backup. Stuff breaks sometimes.

    1. Press Win + X, choose Windows Terminal (Admin) or CMD (Admin)
    2. Run:
      mbr2gpt /validate /allowFullOS
      If no error, run:
      mbr2gpt /convert /allowFullOS

    It changes only system disk layout to GPT. After convert, reboot.

  4. Enter UEFI (BIOS)
    Two simple ways:

    Way A

    1. Settings
    2. System
    3. Recovery
    4. Advanced startup, click Restart now
    5. Troubleshoot → Advanced options → UEFI Firmware Settings → Restart

    Way B
    Mash Del, F2, F10, or F12 right after power on. Depends on board. It usually says on the screen.

  5. Switch to UEFI only
    Names vary by vendor.

    Look for something like:

    • Boot Mode: UEFI
    • CSM: Disable
    • Legacy support: Disable

    Steps are usually:

    • Disable CSM or Legacy
    • Set Boot mode to UEFI

    Save and exit. If Windows fails to boot after this, your disk was not converted right.

  6. Turn on Secure Boot
    Back in UEFI settings, find Secure Boot. It might be under:

    • Security
    • Boot
    • Authentication
    • Sometimes “Windows OS configuration”

    Common settings:

    • Secure Boot: Enabled
    • OS Type: Windows UEFI mode or Windows UEFI
    • Secure Boot Mode: Standard or Default
    • Key Management: Load Factory Keys or Install Default Keys

    If Secure Boot is greyed out:

    • Set Boot mode to UEFI first
    • Sometimes set an “Admin” or “Supervisor” password in BIOS, enable Secure Boot, save, then clear password

    Do not pick “Custom” Secure Boot mode unless you know about PK/KEK/DB keys.

  7. Save and reboot
    Save and exit from UEFI. Boot back into Windows.

    Check again:

    • msinfo32
    • Now you want:
      • BIOS Mode: UEFI
      • Secure Boot State: On

  8. Common weird problems

    • Old GPU or PCI card blocks Secure Boot
      Some old hardware needs CSM. If Secure Boot refuses to work, pull extra PCI cards and test.

    • BitLocker prompt at boot
      If your system drive is encrypted, firmware changes might trigger a recovery key request.
      So copy your BitLocker key first from Settings → Privacy & security → Device encryption or BitLocker.

    • Dual boot with Linux
      Some Linux installs use their own bootloader. With Secure Boot on, it might refuse to boot unless that distro supports Secure Boot.
      Many modern distros like Ubuntu handle this, older installs not so much.

After all this, Windows 11 Security Center under Device security should show Secure Boot as “On”. That meets the requirement for stuff like some anti-cheat, Pluton options, and future hardening.

3

If you’re mainly worried about “not breaking anything,” focus on making things reversible at each step instead of flipping a bunch of switches at once.

@cacadordeestrelas already gave you the full cookbook. I’ll add stuff that keeps you from getting stuck with a black screen and a dead boot.

1. Create a real exit plan first

Before touching firmware:

  • Export BitLocker key(s) if Device Encryption / BitLocker is on
    • Settings → Privacy & security → Device encryption or BitLocker → back up the recovery key to your MS account or a USB
  • Make a Windows 11 install USB (Media Creation Tool)
    • If the system fails to boot after changes, that USB is how you get into repair tools or undo things
  • Optional but smart: a full image backup (Macrium Reflect, etc.). MBR2GPT is usually safe, but when it fails, it fails loud.

This is the part people skip and then come back here screaming that their OS is “gone.”

2. Decide if Secure Boot is really worth it on this machine

Yeah, Microsoft wants it. Some anti‑cheats want it. But there are a few cases where I’d honestly say: “don’t bother” unless you’re ready to replace hardware or reinstall:

  • You have a very old GPU that only boots with CSM / Legacy
  • You’re dual‑booting some weird Linux setup with a custom bootloader
  • You’re on an ancient OEM motherboard with half‑broken UEFI

In those cases, Secure Boot can turn into a time sink for basically no real gain. For a normal, supported Windows 11 box though, it’s worth doing.

3. Safer way to approach firmware settings

Instead of jumping straight from “Legacy + CSM” to “Secure Boot fully enabled,” do it in three boots:

  1. Boot 1: UEFI-only test

    • In firmware:
      • Disable CSM / Legacy
      • Set Boot mode to UEFI only
    • Do not touch Secure Boot yet
    • Save, reboot
    • If Windows boots normally, great. If not, go back and revert that one setting.

  2. Boot 2: Secure Boot “armed” but not strict
    This part varies by board, but many have:

    • OS Type: set to “Windows UEFI mode” or similar
    • Secure Boot mode: “Standard” / “Default” / “Factory”
    • Load default keys or factory keys
    • Still leave Secure Boot itself on “Disabled” if there is a separate toggle
      Reboot again. We’re just making sure firmware has keys loaded and still boots fine.

  3. Boot 3: Actually enable Secure Boot

    • Flip Secure Boot to “Enabled”
    • Keep mode on “Standard” or “Windows UEFI”
    • Avoid any “Custom” / “User” mode nonsense, unless you like living in key‑management hell
      Reboot and confirm it still gets into Windows.

This staged approach is overkill, but it massively lowers the chance you end up staring at a blinking cursor wondering which exact thing you changed.

4. If Secure Boot is grayed out even after UEFI is on

@cacadordeestrelas mentioned the supervisor/admin password thing, and I’ll half‑disagree slightly here: yes, it works, but I’d treat a firmware password as temporary:

  • Set the admin / supervisor password
  • Enable Secure Boot
  • Save
  • Go right back in and clear that password so you do not forget it three months from now and lock yourself out of your own firmware

A scary number of people set that, then sell or repurpose the machine, then everyone is stuck.

Also, check for a “Restore Factory Keys” or “Install Default Keys” option in Secure Boot config. Sometimes Secure Boot is disabled simply because there are no keys installed.

5. Watch for these “gotchas” right after enabling

After your “Boot 3”:

  • If Windows suddenly asks for a BitLocker recovery key at boot

    • That’s normal when firmware changes; type the key and then in Windows run
      • manage-bde -protectors -disable C:
      • Reboot once
      • manage-bde -protectors -enable C:
        so it re-binds to the new firmware state

  • If your Linux entry vanished or will not boot

    • Secure Boot often only trusts Windows Boot Manager by default
    • You can:
      • Reinstall GRUB with Secure Boot support
      • Or disable Secure Boot again if you just need the dual boot more than the security

  • If screen stays black, no boot device

    • Go back into firmware and check boot order
    • Make sure “Windows Boot Manager” is first, not the raw drive or some old entry

6. Quick verification inside Windows

Once it boots:

  • Win + Rmsinfo32
    • BIOS Mode: UEFI
    • Secure Boot State: On
  • Windows Security → Device Security → you should see “Secure boot is on”

If BIOS is UEFI but Secure Boot State still says “Off,” go back and make sure:

  • CSM is indeed disabled
  • OS Type is set to “Windows” or similar
  • Secure Boot actually says Enabled, not just “Standard mode” with the main toggle off

7. If you’re stuck mid‑way

If you get to a point where:

  • Disk is GPT
  • BIOS Mode: UEFI
  • But Secure Boot refuses to enable or breaks something

At that point the most practical route is often:

  • Back up
  • Clean‑install Windows 11 in UEFI mode from USB with CSM off and Secure Boot off
  • Once install finishes and boots correctly, then enable Secure Boot

Annoying, but you end up with a fully clean, “by the book” Secure Boot setup rather than fighting firmware quirks for days.

TL;DR: do it in small reversible steps, always with a backup + BitLocker key in hand, and treat BIOS passwords and “Custom” Secure Boot keys like radioactive material unless you really know what you’re doing.

4

Quick angle that complements what @cacadordeestrelas covered, without rehashing the whole BIOS tour:

  1. Check if you even need to touch firmware yet

In Windows first:

  • Press Win + R, type msinfo32, Enter
    • If Secure Boot State says:
      • On → you are done, do nothing in BIOS.
      • Off & BIOS Mode is UEFI → you likely only need a single toggle in firmware.
      • Legacy → that is when their longer guide really applies.

A lot of people panic in BIOS when in reality they just have Secure Boot disabled in a UEFI setup.

  1. Look for the vendor’s “one button” setup

I slightly disagree with the idea that you must always do this in three separate reboots. On newer boards and OEM laptops there is often a preset like:

  • “Windows 11 WHQL”
  • “Windows UEFI secure”
  • “UEFI / Secure Boot ready”

Turning that on typically does three things at once: disables CSM, sets UEFI, loads default keys, and enables Secure Boot. As long as you have your BitLocker key and a recovery USB handy, using that single preset is usually safe and faster than micromanaging each subsetting.

  1. Use Windows to convert the disk first, not BIOS

If msinfo32 says BIOS Mode: Legacy but your board supports UEFI, I would:

  • Run mbr2gpt /validate /allowFullOS from an elevated command prompt.
  • Only if that passes, run mbr2gpt /convert /allowFullOS.

You do this before you start flipping firmware options. It reduces the chance that “UEFI only” suddenly leaves you with no bootable device. If mbr2gpt complains, that is a red flag and a good moment to stop and consider a clean install instead of forcing Secure Boot.

  1. Know the two realistic failure outcomes

Almost every Secure Boot misstep ends in one of these two states:

  • “No bootable device” / stuck in firmware
  • Endless BitLocker recovery prompts

If it is the first one, 90% of the time the fix is just:

  • Turn CSM back on OR
  • Reorder the boot list so “Windows Boot Manager” is first.

If it is BitLocker constantly asking for the key, just leave Secure Boot on, enter the key once, then in Windows suspend and reenable the protectors so it learns the new hardware state.

  1. When not to fight it

Here is where I diverge a bit from the “keep pushing through” approach:

  • If your PC is already borderline for Windows 11 (old CPU, old firmware, weird OEM) and enabling Secure Boot needs disk conversion, firmware update, and bootloader repair, I would strongly consider leaving it off unless a specific app absolutely demands it. The theoretical security win can be offset by the very real chance of data loss if you are not comfortable recovering a broken boot.

Secure Boot is great, but “PC that boots reliably” is better than “slightly more secure PC that you cannot start.”

  1. About the empty product title you mentioned

Since you referenced How To Turn On Secure Boot Windows 11 I’m trying to enable Secure Boot on my Windows 11 PC so I can meet the security requirements for some apps and future updates, but I’m confused by the BIOS/UEFI settings and don’t want to break anything. Can someone expl… as a sort of guide topic, using a walkthrough like that has some pros and cons:

Pros

  • Gives you a focused checklist specific to Secure Boot on Windows 11.
  • Helps keep changes organized so you can reverse them.
  • Good for matching what Microsoft’s own tools expect.

Cons

  • Can make things look more complicated than they are if your system already runs UEFI.
  • May not match your exact firmware wording, which causes extra confusion.
  • Can encourage you to change more options than necessary “just to follow the guide.”

Comparing with @cacadordeestrelas: their explanation is excellent for edge cases and slower, safer transitions, especially on quirky hardware. What I am adding is more “triage”: check what Windows already knows, use vendor presets where available, and decide early if the effort is worth it on that specific machine.

If you post your msinfo32 values for BIOS Mode and Secure Boot State plus motherboard / laptop model, you can often get a 2‑ or 3‑setting answer instead of a full-page procedure.