Secure Boot is a UEFI firmware security feature that verifies the digital signatures of boot files — preventing boot-level malware called boot kits from loading before Windows starts.

Windows 11 requires Secure Boot to be enabled. If it’s currently off, you’ll need to access your BIOS menu via the Windows Recovery Environment and enable it in Boot Options.

Quick Answer

Go to Settings ? System ? Recovery ? Restart now, then navigate to Troubleshoot ? Advanced options ? UEFI Firmware Settings, enter BIOS, find Boot Options, and enable Secure Boot.

How to Enable Secure Boot in Windows 11

Step 1: Check if Secure Boot Is Currently Enabled

Before opening BIOS, verify the current Secure Boot state so you know whether a change is actually needed — open System Information by pressing Win+R and typing msinfo32.

Windows Run dialog with msinfo32 typed to open System Information

In System Information, look for the Secure Boot State row in the System Summary. If it shows Off, Secure Boot is disabled and you need to enable it in BIOS. If it shows On, no action is needed.

System Information app showing Secure Boot State as Off

Step 2: Boot into the BIOS Menu via Windows Recovery

The only way to enable Secure Boot is through your UEFI BIOS settings. On Windows 11, navigate to Settings ? System ? Recovery and click Restart now under Advanced startup to reach WinRE.

Windows 11 Settings — System — Recovery showing Advanced startup Restart now button

From the WinRE blue screen, navigate to Troubleshoot ? Advanced options and select UEFI Firmware Settings — the system will reboot directly into the BIOS interface for your machine.

WinRE Advanced options showing UEFI Firmware Settings tile

After rebooting, press the key shown on the startup screen to enter BIOS Setup — for example, HP laptops typically show F10, but this varies by manufacturer.

Post-reboot startup screen showing F10 key to enter BIOS Setup

Step 3: Enable Secure Boot in BIOS Boot Options

In the BIOS setup screen, navigate to the System Configuration tab or equivalent section (labeling varies by manufacturer — it may be called Boot, Security, or Advanced), then open Boot Options.

BIOS System Configuration tab with Boot Options selected

Locate the Secure Boot option and change its value to Enabled. Save changes and exit the BIOS — typically with F10 — and the system will restart with Secure Boot active.

BIOS Boot Options screen with Secure Boot toggle set to Enabled

After saving and rebooting, re-open System Information (msinfo32) and confirm that Secure Boot State now shows On — this confirms the change took effect successfully.

System Information showing Secure Boot State as On after enabling in BIOS

When Secure Boot Is Required

Secure Boot must be enabled to install or upgrade to Windows 11 — Microsoft’s hardware requirements list it as mandatory alongside TPM 2.0. The Windows 11 upgrade checker will flag it as missing if it’s off.

Keep Secure Boot enabled permanently. It prevents boot-kit malware — which loads before any antivirus can run — from hijacking the system startup process without any visible warning.

Disable it only when necessary, such as when installing a Linux dual-boot distribution that does not have signed bootloaders — and re-enable it once the alternative boot setup is configured properly.

Related Guides

These Windows 11 configuration and recovery guides are closely related to Secure Boot and BIOS settings on your machine.