This guide explains how to enable or disable Secure Boot on Windows 10 and Windows 11 PCs. It describes what Secure Boot is, why it’s important, and provides information to help you determine whether Secure Boot is supported on your device.
What is Secure Boot?
Secure Boot is a feature of PCs with UEFI firmware that only allows trusted software to run when your PC starts. This prevents malware (including rootkits) from loading before the operating system. Windows 10 and Windows 11 both support Secure Boot, as do many Linux operating systems. Secure Boot is only supported on UEFI firmware and is not available on PCs that use a legacy BIOS.
Secure Boot works by verifying the cryptographic signatures of software being loaded at boot and only allows software that has been signed with a trusted key to run (for example, your Windows operating system will not boot if its signature cannot be verified as having come from Microsoft).
Secure Boot is vital in the modern cybersecurity landscape, protecting you from malware that hides from Windows and anti-malware tools by loading before it boots, and ensuring the integrity of your firmware, bootloaders, and operating system.
When Secure Boot is disabled, these checks are not performed, and any software can be run at boot time.
Why enable or disable Secure Boot?
Generally, you should leave Secure Boot enabled on all of your devices due to the security benefits it provides. However, there are some scenarios where you may need to disable it:
- When using operating systems that do not support Secure Boot (for example, some Linux distributions)
- When dual booting both Windows and Linux
- When you need to use custom drivers that lack valid digital signatures
Before you disable Secure Boot, you should assess whether it is necessary, and that the software you will be booting with Secure Boot disabled is from a trusted source.
Prerequisites before changing Secure Boot settings
Before you attempt to enable or disable Secure Boot, you should back up your important data. While configuring Secure Boot settings will not affect your Windows license or activation and does not remove or modify files on your hard drives, your system may fail to boot afterward if not configured correctly. Critically, if you have BitLocker enabled, you may need to enter a recovery key after changing Secure Boot settings — so make sure you have this on hand before you make any changes.
You should also confirm whether Secure Boot is already enabled or disabled by checking its status.
Tutorial: How to enable or disable Secure Boot
Enabling or disabling Secure Boot must be done from the UEFI setup interface of your system — not from within Windows 10 or Windows 11.
Accessing this setup interface is usually done by pressing a certain key on your keyboard or device while it is starting up. Usually this is indicated with a message on-screen (for example, Press ESC to enter setup). If it is not, you will need to consult the user manual for your device, or find it through trial-and-error. This is commonly one of the DELETE, ESCAPE, F1, F2, F10, or F12 keys.
Once you have accessed the UEFI setup interface, you will need to locate the Secure Boot setting to turn it on or off. The location of this will differ depending on your device’s manufacturer, and can either be located by consulting the user manual, or by paging through the settings screens until you find it (thankfully, UEFI usually supports mouse and keyboard input, making it easy to navigate).
The steps to configure Secure Boot for several popular PC manufacturers are described below, however note that these steps may vary between specific device models. You may need to use different keyboard shortcuts, encounter different phrasing, or need to navigate to a different menu location:
Changing Secure Boot settings on Dell devices
- Reboot your device and press the F2 key as it starts to enter the UEFI interface
- Secure Boot settings can be toggled in Boot Configuration
- Save changes and exit by pressing the F10 key
Changing Secure Boot settings on HP devices
- Reboot your device and press the F10 key as it starts to enter the UEFI interface
- Secure Boot can be turned on or off in Advanced > Secure Boot Configuration
- Save changes and exit by pressing the F10 key
Changing Secure Boot settings on Asus devices
- Reboot your device and press the F2 or DELETE key as it starts to enter the UEFI interface
- Secure Boot settings can be found in either the Boot or Advanced tab
- Save changes and exit by pressing the F10 key
Changing Secure Boot settings on Acer devices
- Reboot your device and press the F2 key as it starts to enter the UEFI interface
- Secure Boot can be enabled or disabled in Boot > Secure Boot
- Save changes and exit by pressing the F10 key
Troubleshooting common Secure Boot common issues
Secure Boot may not be available if Fast Boot is enabled on your device or an administrator password is not set. If your system fails to boot after changing Secure Boot settings, you may need to toggle it to its previous state or boot into Windows recovery mode and run Startup Repair to resolve the issue.
If you are encountering issues with boot signatures, it may be necessary to completely reset your UEFI to its default settings from the setup interface available at boot time.
Securing devices in enterprise and education environments
Keeping fleets of Windows 10 and 11 devices, including managing security settings and configuring Secure Boot, is a daunting task for more than a few devices.
Endpoint management by NinjaOne allows you to centrally manage Windows 10, Windows 11, as well as Apple and Android devices at scale. You can view your entire IT infrastructure from a unified interface, and confirm that your security policies and settings (including Secure Boot) are enforced for all devices in your organization.
