How to Enable Secure Boot in Windows 11: A Complete Step-by-Step Guide

Informatec Digital » Windows » How to Enable Secure Boot in Windows 11: A Complete Step-by-Step Guide

Many users who want to install or upgrade to Windows 11 encounter an essential requirement: having Secure Boot enabled. This security feature, while vital for protecting your computer from threats, can be confusing if you've never interacted with your computer's UEFI or BIOS settings. If you're at that point, don't worry, here's a complete guide with Everything you need to know to enable Secure Boot in Windows 11.

Secure Boot is a trusted filter that determines what software can load during system startup and prevents malicious code from executing at boot time. However, enabling it may involve checking your hardware, modifying your firmware, and, above all, thoroughly understanding the process to avoid errors that could complicate your PC's startup. In this article, we guide you step by step, answer frequently asked questions, and provide the best recommendations to help you complete the process successfully and safely.

What is Secure Boot and why is it important in Windows 11?

Secure Boot is a feature introduced with the UEFI (Unified Extensible Firmware Interface) specification. which replaces the traditional BIOS and provides a critical validation layer when turning on the computer.

When active, Secure Boot ensures that only drivers and operating systems signed and verified by the manufacturer or Microsoft are loaded..Therefore, rootkit attacks are prevented or malware that can inject itself into the system's startup process. In Windows 11, Secure Boot (along with UEFI mode) is required to ensure that security from the start.

Recommendations before activating Secure Boot

• Back up your important data: Before modifying firmware settings, back up your personal files. Any errors may render the system temporarily inoperable.
• Update UEFI/BIOS firmware: : Consult your motherboard or computer manufacturer's website and download and install the latest UEFI firmware.
• Check your hardware compatibilityNot all older computers support UEFI or Secure Boot. Check if your computer supports this mode by consulting the official technical information.
• Take note of the keys to access the UEFI/BIOS settings: These are usually Del, F2, F10, F12 or ESC, but may vary depending on the manufacturer.

Does my computer support UEFI Secure Boot?

To find out if your PC supports Secure Boot, there are several ways to check.Here are the most practical methods:

1. Check from system information

1. press Win + R to open Run.
2. Write msinfo32 and press Enter.
3. In the window that opens, look for the field Secure Boot State in the summary.
4. If it appears as Enabled, you now have Secure Boot working. If you see Disabled o Not compatible, you will need to activate it or check the partitioning mode and firmware.

2. Use CMD or PowerShell commands

• Open Command Prompt (CMD) as administrator.
• Run bcdedit /enum {current}.
• Look for the line "route" in the information displayed. If it says winload.efi, the system boots in UEFI mode. If it appears winload.exe, the boot is traditional (Legacy BIOS) and you will need to convert it to UEFI to enable secure boot.

3. Check disk management

1. press Win + R and run diskmgmt.msc.
2. Right-click the system disk. If it says "Convert to GPT disk," the system is in MBR (legacy BIOS). If you see "Convert to MBR disk," it's already in a GPT/UEFI partition.

4. Motherboard manufacturing date

If your motherboard or laptop is newer than 2011, it most likely already has UEFI and Secure Boot support. You can check the date like this:

• Open a CMD and run systeminfo.
• Look for the line BIOS version to see the date and version installed.

How do I enable secure boot step by step?

Steps may vary depending on your equipment manufacturer. (Dell, HP, Lenovo, Asus, Gigabyte, MSI, etc.), but the general procedure is usually very similar.

1. Access UEFI/BIOS settings

1. Restart your computer and as soon as it starts to turn on, repeatedly press the BIOS/UEFI access key (usually Del, F2, F12, F10 or ESC).

2. Check the boot mode

1. Within the configuration, look for the boot options section (Boot, Boot Options, Boot Mode).
2. Make sure the mode is on UEFI and not in legacy BIOS o CSMIf it's in Legacy, you'll need to change it to UEFI, which may require converting the disk from MBR to GPT. For this, it may be helpful to check out the full guide on MSR partition in Windows.

3. Change the partition type to GPT (if necessary)

If your disk is in MBR format and you need to change it to GPT To enable UEFI boot and enable Secure Boot:

• Make a full backup of your data.
• Use the Windows disk conversion tool (Mbr2Gpt.exe) or specialized apps. Run from CMD as administrator: mbr2gpt /convert /allowfullOS.
• Restart your computer and go back to UEFI settings to set the boot mode to UEFI.

4. Enable Secure Boot

1. Inside the BIOS/UEFI, look for a section called Boat, Security o Authentication.
2. Locate the option Secure Boot o Safe start and change the value to Enabled o Enabled.
3. In some cases you will have to go to Key Management o Key management and select Install default Secure Boot Keys (install default keys).
4. Save the changes and exit (usually by pressing F10) and allow the computer to restart.

What should I do if I can't find the secure boot option?

If you don't see the Secure Boot option, it's possible that:

• Your computer does not have UEFI firmware and only has a traditional BIOS.
• CSM (Legacy System Compatibility) mode is enabled. You must disable it.
• The system disk is in MBR format and not GPT.

In any case, consult your motherboard manual or the manufacturer's support website. If the computer is a brand (Dell, HP, Lenovo, Acer, etc.), look for the exact model on the official website and follow the instructions specific to your case.

Specific steps for Gigabyte motherboards (common example in Spain)

1. Back up your data before touching the BIOS.
2. Update the BIOS if necessary (download the latest version from the Gigabyte website).
3. Prepare a Windows 11 installation USB with the official Microsoft tool.
4. Reboot and enter BIOS/UEFI (Delete o F2 at startup).
5. Go to menu Boat and changes Boot Mode a UEFI.
6. Save, exit and restart.
7. Go back into the BIOS, look for Secure Boot in the menus of Security o Boat and activate it.
8. Install the default keys if prompted.
9. Save the changes and restart the PC.