Activate Secure Boot for Windows 11

6 min


You need Secure Boot, among other things, if you want to update your PC to Windows 11. We’ll tell you how you can activate the function on your system.

A secure system start, also known as secure boot, is becoming more and more important for PCs. Among other things, an activated Secure Boot is a prerequisite for the installation of Windows 11. But not every computer supports Secure Boot and it is not activated everywhere where the feature is supported. We’ll show you how to activate Secure Boot on your PC.

Deactivate Secure Boot

If you instead want to know how to deactivate Secure Boot on your computer, you should have a look at the following article:

Deactivate Secure Boot: Here’s how

What is Secure Boot?

Secure Boot is a feature within the BIOS that ensures a safe start of the PC. Before the operating system boots, the feature checks whether parts of the firmware have been compromised – for example by viruses or other malicious code. In order for the system to start with the Secure Boot activated, the relevant system parts must have a valid security key, i.e. they must be signed.

Secure Boot is a security feature that offers effective protection against hackers and malware. At the same time, however, the feature prevents alternative operating systems such as Linux or some older programs from running on the PC. Microsoft even stipulates an active secure boot for the installation of Windows 11.

What requirements do you need for Secure Boot?

Secure Boot is mainly supported by newer computers that have come onto the market in recent years. The function may be missing with older models. The same goes for motherboards. Newer models mostly support Secure Boot, but often do not have the feature activated at the factory.

To use Secure Boot, the computer’s BIOS must be running in UEFI mode. This is the case with the vast majority of ready-made PCs that came onto the market after 2012. In principle, however, it is possible to operate the BIOS of a PC either in UEFI or in a legacy mode. Secure Boot is not available when the BIOS is running in legacy mode.

OMEN-17-Gaming-Laptop-Notebook

Current laptops should already have Secure Boot activated.

The latter is particularly true of many DIY PCs. Practically all current mainboards support the UEFI mode, but many users forego this operating mode when setting up their computer for the first time and instead set up the system in legacy mode. In most cases this is not a problem, but it should be a stumbling block when trying to update the computer to Windows 11.

If you have put together your own computer, you should check whether the mainboard generally supports the UEFI mode. You can find the information on this either in the manual or on the manufacturer’s website.

UEFI or Legacy BIOS?

Before you can activate Secure Boot, you should first check whether the BIOS of your PC is running in UEFI or legacy mode.

  1. To do this, open the “System Information” app, which you can find using the Windows search
  2. Look for the entry “BIOS” and check whether it says “UEFI” or “Legacy”

System information

Secure Boot only works if your BIOS is running in “UEFI” mode.

If your BIOS is already running in UEFI mode, you can skip the next point and jump straight to the point “Activate Secure Boot in BIOS” in this article. However, if it is still running in legacy mode, you must first switch from legacy to UEFI mode.

Switch from legacy to UEFI mode in the BIOS

Basically, the best way to switch from legacy to UEFI mode is to completely set up the system from scratch, including reinstalling Windows. Both modes use a different partition scheme on the system hard drive. While Legacy uses the older MBR partition scheme, UEFI uses the newer GPT.

Since a completely new setup is out of the question for many users, Microsoft has already introduced the MBR2GPT program with Windows 10 version 1703. However, this does not have its own graphical interface, but can only be controlled by commands via the command prompt.

Security backup

What you do with the following steps is basically a reformatting of the system hard drive without losing any data. Although the process has been tried and tested and also worked smoothly in the test, we recommend that you create a safety backup of your system as a precaution before you continue.

  1. Restart the PC and hold down the Shift key while clicking the “Restart” button
  2. Wait for the PC to reboot in Safe Mode
  3. Click on “Troubleshoot> Advanced Options> Command Prompt”
  4. Log in to your account and enter the password if necessary

Now the classic command prompt starts, with which you can trigger the change from the MBR partition scheme to the newer GPT scheme. First of all, you should check whether your disk can be converted to the new partition scheme at all. To do this, type in the following command and confirm with Enter:

mbr2gpt/validate

When the check ends with the line “Validation completed successfully”, the disk is ready to be converted. If the test gives a different result, you should cancel the process at this point. In this case, you really only have to set up the PC again.

Windows command prompt

You can control the MBR2GPT tool using commands in the command prompt.

However, if the data carrier has passed the test, you can start the conversion with the command:

mbr2gpt/convert

The conversion should only take a few seconds to a few minutes in total. If the conversion worked, the line “Conversion completed sucessfully” should appear. However, it can happen that the entry “Failed to update ReAgent.xlm, please try to manually disable and enable WinRe” also appears. This means that the recovery environment could not be migrated. However, you can fix this error later in Windows.

Restart the PC after successfully completing the conversion, but make sure to switch directly to the BIOS after starting by holding down the key required for this shortly after switching on. Depending on the motherboard manufacturer, this is either F1, F2, F8, F12, ESC or Del. Find out in advance in the manual or on the website of the motherboard manufacturer which key you can use to enter the BIOS.

Then look in the BIOS under “Boot” or “Boot Options” for an option to switch from legacy to UEFI mode. The exact menu path can differ depending on the mainboard. Again, it’s best to refer to the manufacturer’s manual or website for advice. Often the legacy mode in the BIOS is also referred to as compatibility mode or CSM compatibility mode.

Asrock-Bios-CSM

At the motherboard manufacturer ASRock, the CSM compatibility mode must be deactivated in order to use the BIOS in UEFI mode.

As soon as you have made the change in the BIOS, you can save the settings, exit the BIOS and restart the PC. After restarting Windows, open the “System Information” again and check whether the entry “UEFI” is now displayed in the BIOS.

Fix conversion errors

If the line “Failed to update ReAgent.xlm, please try to manually disable and enable WinRe” appears when converting from MBR to GPT, you can fix this later in Windows.

  1. Search for “Command Prompt” in the search field
  2. Right click the app and select “Run as administrator”
  3. At the command prompt, run the following commands, one at a time:

reagentc/disable
reagentc/enable

Activate Secure Boot in the BIOS

To activate Secure Boot, you have to switch to the BIOS of your computer. To do this, restart the computer and hold down the key that will take you to the BIOS immediately after switching on. Depending on the manufacturer of the mainboard, this can be different. As a rule, manufacturers use either F1, F2, F12, ESC or Entf. Find out more about the correct key for your mainboard in the manual or on the manufacturer’s website.

In the BIOS you now have to look out for the setting for Secure Boot or Safe Start. This is usually located under “Security”, “Boot”, “Security”, “Boot options”, “Secure” or “Authentication”. The exact menu path can differ from mainboard to mainboard, which is why you should also refer to the manual here if in doubt.

As soon as you have found the entry, set Secure Boot to “activated” or “enabled” and save the setting in the BIOS. Then exit the BIOS and restart the PC. Secure Boot should now be activated.

summary

  1. Secure Boot is a prerequisite for installing Windows 11 on the PC
  2. The feature is supported by most current computers and mainboards, but is often deactivated, especially in systems that you build yourself
  3. You can activate Secure Boot in the BIOS of your computer
  4. However, the prerequisite is that the BIOS runs in UEFI mode and not in Legacy or CSM compatibility mode
  5. You can change the BIOS mode later via the Windows command prompt

Steve

Passionate about DIY for over 10 years and all the new tools, I give you through this blog all my advice, tips, tests in all areas: carpentry, electricity, masonry, gardening, home automation ...

0 Comments

Your email address will not be published. Required fields are marked *