Secure Boot is a UEFI firmware security feature that verifies the digital signatures of boot files — preventing boot-level malware called boot kits from loading before Windows starts.
Windows 11 requires Secure Boot to be enabled. If it’s currently off, you’ll need to access your BIOS menu via the Windows Recovery Environment and enable it in Boot Options.
Quick Answer
Go to Settings ? System ? Recovery ? Restart now, then navigate to Troubleshoot ? Advanced options ? UEFI Firmware Settings, enter BIOS, find Boot Options, and enable Secure Boot.
How to Enable Secure Boot in Windows 11
Step 1: Check if Secure Boot Is Currently Enabled
Before opening BIOS, verify the current Secure Boot state so you know whether a change is actually needed — open System Information by pressing Win+R and typing msinfo32.

In System Information, look for the Secure Boot State row in the System Summary. If it shows Off, Secure Boot is disabled and you need to enable it in BIOS. If it shows On, no action is needed.

Step 2: Boot into the BIOS Menu via Windows Recovery
The only way to enable Secure Boot is through your UEFI BIOS settings. On Windows 11, navigate to Settings ? System ? Recovery and click Restart now under Advanced startup to reach WinRE.

From the WinRE blue screen, navigate to Troubleshoot ? Advanced options and select UEFI Firmware Settings — the system will reboot directly into the BIOS interface for your machine.

After rebooting, press the key shown on the startup screen to enter BIOS Setup — for example, HP laptops typically show F10, but this varies by manufacturer.

Step 3: Enable Secure Boot in BIOS Boot Options
In the BIOS setup screen, navigate to the System Configuration tab or equivalent section (labeling varies by manufacturer — it may be called Boot, Security, or Advanced), then open Boot Options.

Locate the Secure Boot option and change its value to Enabled. Save changes and exit the BIOS — typically with F10 — and the system will restart with Secure Boot active.

After saving and rebooting, re-open System Information (msinfo32) and confirm that Secure Boot State now shows On — this confirms the change took effect successfully.

When Secure Boot Is Required
Secure Boot must be enabled to install or upgrade to Windows 11 — Microsoft’s hardware requirements list it as mandatory alongside TPM 2.0. The Windows 11 upgrade checker will flag it as missing if it’s off.
Keep Secure Boot enabled permanently. It prevents boot-kit malware — which loads before any antivirus can run — from hijacking the system startup process without any visible warning.
Disable it only when necessary, such as when installing a Linux dual-boot distribution that does not have signed bootloaders — and re-enable it once the alternative boot setup is configured properly.
Related Guides
These Windows 11 configuration and recovery guides are closely related to Secure Boot and BIOS settings on your machine.