How to enable and disable Secure Boot

NOTE: This article provides general guidance and may not reflect the exact steps required for your specific system. If you're unfamiliar with accessing or modifying BIOS settings, we strongly recommend consulting a qualified technician or your system manufacturer's support team. Incorrect BIOS configuration can lead to system instability or prevent your computer from starting. Before making any changes, please review your motherboard manufacturer’s documentation and website. Crucial is not responsible for any issues resulting from BIOS modifications. 

Whether you're installing a new operating system, troubleshooting boot issues, or adjusting system settings, you may need to enable or disable Secure Boot. This quick guide walks you through the process step-by-step, helping you make the change confidently and safely. 

Secure Boot is a security feature in Windows designed to help protect systems from malware and unauthorized software during the boot process. Secure Boot reduces the risk of rootkits and kernel-level attacks on a PC by only running software verified against a secure key on a TPM chip on the motherboard. This start-up security is especially important in enterprise environments and for users wanting to play the latest games that use anti-cheat programs relying on Secure Boot compatibility, such as the massively popular Valorant, Battlefield 2042 and Battlefield 6. 

To enable and disable Secure Boot in Windows 10 or 11, your motherboard must support a Trusted Platform Module (TPM) 2.0 chip and have TPM enabled. TPM is a microprocessor on motherboards that stores encryption keys with security measures and a tamper-resistant design. Luckily, most PCs shipped in the last 5 years have TPM 2.0 capabilities but may need to be manually enabled since most consumer brand motherboards ship with the TPM turned off by default despite supporting it. 

Here is a simple graphic that shows a simple version of the Secure Boot sequence: 

One of the big and only requirements for Windows 11 is having TPM 2.0 enabled, although there are some alternatives to TPM that’ll work on some boards. While having Secure Boot enabled is not required to upgrade to Windows 11, it’s required to play the newest Battlefield 6 game by EA due to their Javelin anti-cheat, as well as the free-to-play Valorant by Riot Games due to Vanguard anti-cheat. These kernel-level anti-cheats help better combat online cheating in multiplayer gaming but often require more intrusive permissions to do so. 

It’s helpful to check that Secure Boot isn’t already enabled before going through the rest of the steps. Follow the steps below to check the status of Secure Boot on your system:

1. Search for and open Run in Windows (or press Windows key + R).
2. Type msinfo32 into the Open field and press OK.
3. If it doesn’t open to the System Summary screen, select System Summary in the lefthand menu.
4. Check the following lines in System Summary:
   • BIOS Mode - set to UEFI
   • Secure Boot State - set to On

If the BIOS Mode isn’t set to UEFI and Secure Boot State isn’t on or is incorrect, keep following the guide. If the BIOS Mode is Legacy and your Windows disk partition is Master Boot Record (MBR), those settings will need to be changed as Secure Boot requires the disk partition to be GUID Partition Table (GPT).

Since TPM 2.0 must be enabled to turn on Secure Boot, let’s check the status of TPM on your system. TPM settings are managed through the UEFI BIOS and will vary depending on the manufacturer of your specific motherboard. To see if your PC has TPM support or is already active:

1. Search for and open Device security in Windows.
2. Look for the Security processor section:
3. TPM is disabled if there isn’t a Security processor section present (see below image)
4. Under Security processor details, verify the specification version is 2.0. Any version less than 2.0 cannot support Windows 11. There may be some other alternatives to TPM available depending on your specific motherboard.

OR

1. Press the Windows + R keys, type tpm.msc, and click OK. 
2. Verify your PC’s TPM support and version. 

If TPM isn’t enabled, you’ll need to adjust the correct settings through your PC UEFI/BIOS. Accessing UEFI/BIOS varies based on your PC and motherboard manufacturer. To access the UEFI/BIOS in Windows 11 (if supported): 

1. Search for and open Recovery Options in Windows.
2. Under the Recovery Options section, click Restart now next to Advanced startup.

• The computer will restart and open the advanced startup options. 

3. Select Troubleshoot > Advanced options > UEFI Firmware Settings > Restart.
4. The exact sub-menu location of these settings may vary slightly depending on the version of your Windows.  
5. The setting to enable/disable TPM may be labeled something different depending on your PC/version. Some examples of potential naming include: TPM State, AMD fTPM switch, AMD PSP fTPM, Intel PTT, Security Device or Security Device Support.  

If you’re unable to access the UEFI or your Windows version doesn’t contain the necessary option, then it may be necessary to access your PC BIOS to adjust the correct setting. The exact steps to enable TPM through BIOS vary depending on the motherboard manufacturer. For the most accurate steps on accessing BIOS and enabling TPM, please refer to the PC manufacturer’s website or manual. Here are some of the most common manufacturers and their TPM instructions:

Acer

ASUS

Dell 

Gigabyte

Lenovo

MSI

To enable Secure Boot, the partition style for your Windows drive must be set to GUID Partition Table (GPT) instead of Master Boot Record (MBR). 

To check what partition style is currently set: 

1. Search for and open Disk Management in Windows. 
2. Find your main Windows drive at the bottom (most likely Disk 0 or 1), right-click the section and select Properties. 

3. Select the Volumes tab at the top of the Properties window that appears. Look at the Partition style line:  
   • GUID Partition Table (GPT) means you’re good to go. You can move to the enabling Secure Boot section
   • MBR means it’ll need to be changed to GPT in the following steps 

1. Press the Windows + R keys and type powershell but DO NOT hit Enter or OK. 
2. Press CTRL + Shift + Enter to launch the command prompt in administrator mode.  

• Select Yes if prompted by Windows to allow changes  
  

3. Type the following command into the cmd window. Be sure to note the spaces: mbr2gpt /validate /disk:0 /allowfullOS and press Enter.
   • The cmd.exe window needs to read Administrator at the top
   • The disk:0 section needs to match the disk number in the Disk Management window

4. Once the previous process finishes, type the following command into the same cmd window. Be sure to note the spaces: mbr2gpt /convert /disk:0 /allowfullOS and press Enter.  

5. Open Disk Management again and verify the partition style is now GUID Partition Table (GPT).

A small requirement to enable Secure Boot is making sure your BIOS mode is set to UEFI instead of Legacy. If your BIOS mode was set to Legacy earlier in the ‘Check Secure Boot status’ section, it’ll need to be changed. Adjusting the setting is typically done through the BIOS settings under Advanced Mode (depending on motherboard). 

If you need assistance locating the BIOS mode setting, please refer to the manufacturer’s manual or website. Here are some of the most common manufacturers and their BIOS instructions: 

• Acer

• ASUS 

• Dell 

• Gigabyte

• Lenovo

• MSI 

With the BIOS Mode set to UEFI, TPM 2.0 enabled and your disk partition set to GUID Partition Table (GPT), it’s finally time to enable Secure Boot. The setting for Secure Boot can be found in the BIOS. To access the BIOS, press the corresponding key that appears on the monitor during setup. 

1. Search for and open Change advanced startup options in Windows.
2. In the Recovery options, click Restart now next to Advanced startup.
3. Select Troubleshoot.
4. Select Advanced options.
5. Select UEFI Firmware Settings.
6. Click Restart. Your computer will restart and enter your BIOS.