Enabling Secure Boot on Windows 10: A Step-by-Step Guide

Guide to Enabling Secure Boot on Windows 10

Secure Boot is a critical security feature for Windows 10 systems, functioning exclusively under Unified Extensible Firmware Interface (UEFI).If your computer uses legacy Basic Input/Output System (BIOS), specific steps are essential to enable this feature properly. Below, we outline what Secure Boot is, why you should enable it, and how to do so based on your firmware type.

Understanding Secure Boot

Secure Boot is a UEFI firmware feature designed to enhance system security by permitting only trusted software to load during the boot process. It serves as a protective measure against boot-level malware, including bootkits and rootkits, which pose significant security risks. Although Windows 11 strongly recommends activating Secure Boot, it is not universally enabled by default in Windows 10 systems.

Benefits of Enabling Secure Boot

While Secure Boot is not mandatory for installing Windows 10, it is highly advised, especially as an increasing number of applications now necessitate its activation. Enabling Secure Boot fortifies the system against malware and rootkits that may compromise the boot process. Notably, certain modern games (e.g., Battlefield 6) require Secure Boot for compliance with anti-cheat protocols.

When to Disable Secure Boot

In some instances, turning off Secure Boot may be necessary—particularly when using older hardware or non-Windows operating systems. Although it’s recommended to keep Secure Boot enabled for optimal security, being aware of these exceptions is important for maintaining compatibility with various software and hardware configurations.

This guide provides detailed steps to enable Secure Boot for both UEFI and BIOS systems operating Windows 10.

Enabling Secure Boot on Windows 10 (UEFI)

If your Windows 10 computer is equipped with modern hardware, it likely already operates on UEFI, which typically uses GPT partitioning. To enable Secure Boot, you need to first verify its current status and then proceed with the activation if it is turned off.

1. Verify Secure Boot Status

Follow these steps to check if your system is using UEFI and the status of Secure Boot:

Start the system.
Search for System Information and select the appropriate result to open it.
In the left pane, click on System Summary.
Look for the BIOS Mode entry and confirm it lists UEFI.

Note: If it displays Legacy, this indicates the device is operating with BIOS, making it incompatible with Secure Boot.

Next, check the Secure Boot State to ensure it shows as On. If it is off, manual activation will be necessary.

Once these steps confirm UEFI firmware, you can proceed to enable Secure Boot. If your system shows as BIOS, conversion from MBR to GPT and switching to UEFI is required before enabling Secure Boot.

2. Activating Secure Boot in UEFI

If your system utilizes UEFI, follow these instructions to enable Secure Boot:

Navigate to Settings.
Go to Update & Security.
Select the Recovery option.
Click the Restart now button under the Advanced startup section.
After the restart, click Troubleshoot.
Under Advanced options, select UEFI Firmware settings.
Click Restart.
Access the settings page—this may involve navigating to either advanced, security, or boot options, depending on your motherboard.
Select Secure Boot and set it to Enabled.

After completing these steps, Secure Boot will be active on your Windows 10 computer.

Enabling Secure Boot on Windows 10 (BIOS)

For devices using legacy BIOS, the first step is converting from MBR to GPT. Please note, once you switch to GPT, your system won’t boot until you switch to UEFI. It’s advisable to validate that your particular device can switch to UEFI firmware by checking with your manufacturer.

1. Check the Partition Style in Windows 10

To determine your drive’s partition style, execute the following steps:

Open Start.
Search for Disk Management and select the top result.
Right-click on the disk and select Properties.
Access the Volumes tab.
Look at the Partition style to confirm whether it’s listed as MBR or GPT.

After completing these checks, you’ll understand your current partition style. If using legacy BIOS, it is likely that your disk is set to MBR, which will require conversion.

2. Converting MBR to GPT Style

To convert your partition style from MBR to GPT, follow these steps:

Open Settings.
Select Update & Security.
Go to Recovery.
Click on Restart now under Advanced startup.
Select Troubleshoot.
Go to Advanced options.
Create a new Command Prompt instance.
Sign in using your administrator account credentials if prompted.
Run the command: mbr2gpt /validate to check if your drive can be converted.
After validation, run: mbr2gpt /convert to convert the disk.
Type exit to close the Command Prompt.
Shut down your computer.

Using mbr2gpt will only convert the system drive unless specified otherwise. Make sure you’re only converting the necessary drive.

3. Switching from BIOS to UEFI

To change from BIOS to UEFI, perform the following:

Boot your computer into the firmware settings.

Note: Accessing firmware settings may vary by manufacturer; generally, pressing Delete, Esc, or a Function key during boot will prompt entry options.

Locate the relevant settings page (boot sequence, advanced, or boot options).
Disable the legacy BIOS and activate UEFI mode.
Save the settings.
Power off your machine.

Once these steps are complete, the next task is to enable Secure Boot in UEFI.

4. Activating Secure Boot in UEFI

Follow these final steps to turn on Secure Boot in the UEFI settings:

Reboot into the firmware settings.
Depending on your motherboard, navigate to the advanced, security, or boot options settings.
Find the Secure Boot option and set it to Enabled.
Save your changes.
Restart the computer.

After following these steps, your system should successfully boot with Secure Boot enabled. Additionally, if you are continuing with Windows 10, ensure that the TPM 2.0 security feature is also activated if needed.

Source & Images