Check and Enable Secure Boot for Windows 11 with TPM 2.0

With Windows 10 reaching end of support and Windows 11’s hardware baseline enforced across upgrades and some modern games, checking whether Secure Boot is enabled — and enabling it correctly if it isn’t — has moved from optional housekeeping to an essential step for many PC owners and gamers.

Background / Overview​

Secure Boot is a UEFI firmware feature first shipped to mainstream PCs with Windows 8. Its role is simple but powerful: the firmware only allows early-boot components (firmware drivers, bootloaders, and the OS loader) that carry valid digital signatures to run, blocking unsigned or tampered code at the earliest possible stage. Secure Boot is often used together with a Trusted Platform Module (TPM) to produce measured-boot signals and device attestation that modern Windows features and several anti‑cheat systems now rely on. Microsoft’s Windows 11 baseline explicitly expects UEFI + Secure Boot capability and TPM 2.0 on supported systems.
Why the sudden urgency? Two factors intersect: Microsoft’s push for a higher platform security baseline (TPM 2.0 + Secure Boot) for Windows 11, and game publishers tying kernel/early-boot anti‑cheat attestation to those same primitives. The result: a device that boots under legacy BIOS/MBR or simply has Secure Boot disabled might be blocked from upgrading to Windows 11 — and in some cases, blocked from launching new multiplayer titles until firmware settings are corrected.

---

How to check whether Secure Boot is enabled (fast checks)​

There are several quick, authoritative ways to confirm Secure Boot status from inside Windows. Use at least one GUI method and one command-line method to be sure.

1) System Information (msinfo32) — the quick visual check​

• Press Win + R, type msinfo32, and press Enter to open System Information.
• On the default System Summary page look for BIOS Mode (should read UEFI) and Secure Boot State (On / Off / Unsupported).
  This is the fastest way most users will confirm status. If Secure Boot State reads On and BIOS Mode reads UEFI, Windows recognizes Secure Boot as active.

2) PowerShell — Confirm‑SecureBootUEFI​

• Run PowerShell as Administrator and enter:
  Confirm‑SecureBootUEFI
• Return values:
• True = Secure Boot is enabled and the platform supports it.
• False = Secure Boot is supported but not enabled.
• Cmdlet not supported on this platform = non‑UEFI/legacy BIOS platform.
  This cmdlet is an authoritative binary check; run it when you need a clear True/False answer programmatically.

3) TPM and partition checks (complementary)​

• Press Win + R, type tpm.msc and press Enter to check TPM presence and Specification Version (Windows 11 expects TPM 2.0).
• Open Disk Management → right‑click the system disk → Properties → Volumes to confirm Partition style is GUID (GPT). Secure Boot requires UEFI/GPT; if your disk is MBR you’ll need to convert to GPT before enabling Secure Boot.

4) Gaming and third‑party probes​

• Steam’s client shows Secure Boot and TPM in Help > System Information if you have Steam installed; this is useful for gamers who want a one-click check before launching titles with anti‑cheat enforcement.
• WhyNotWin11 and similar compatibility scanners also report Secure Boot, TPM, and other Windows 11 prerequisites in a single view — handy for inexperienced users and troubleshooting.

---

Why msinfo32 / Confirm‑SecureBootUEFI may disagree with BIOS​

Modern firmware implementations can be confusing: a motherboard’s UEFI UI might show Secure Boot Enabled while Windows reports Secure Boot Off. Common causes:

• Firmware advertises the option but the required keys (Platform Key / KEK / DB) are not enrolled or active.
• Firmware is still running in CSM/Legacy compatibility mode even though Secure Boot is “enabled” in a superficial sense.
• BitLocker / TPM provisioning or driver state discrepancies.

If you see inconsistent results, use Confirm‑SecureBootUEFI and msinfo32 together, and then check firmware settings and the partition style (GPT vs MBR). Community reports and vendor troubleshooting guides repeatedly recommend toggling Secure Boot to Custom (or restoring factory/default keys) then back to Standard/Default to force the firmware to enroll the proper variables.

---

How to enable Secure Boot — a safe, step‑by‑step path​

Enabling Secure Boot on supported hardware is straightforward in principle but must be sequenced carefully to avoid rendering the system unbootable or triggering BitLocker recovery.

Preflight: the safety checklist (do this first)​

• Back up critical data (full image recommended).
• If BitLocker is active, suspend BitLocker and export the recovery key before changing firmware/partitioning. Firmware changes commonly trigger BitLocker recovery.
• Confirm firmware supports UEFI (msinfo32 → BIOS Mode = UEFI). If it reads Legacy/CSM, you will need to convert your disk to GPT or perform a clean UEFI install.
• Update motherboard/laptop firmware to the latest vendor release — many OEMs exposed TPM/PTT and Secure Boot toggles via firmware updates.

1) Verify current Windows state (repeat)​

• msinfo32 → check BIOS Mode and Secure Boot State.
• tpm.msc → confirm TPM presence and Specification Version = 2.0.
• Disk Management → verify system disk is GPT.

2) Convert MBR → GPT if required (use Microsoft’s supported tool)​

If Disk Management shows MBR, Secure Boot requires converting the boot disk to GPT. Microsoft’s supported non‑destructive tool is mbr2gpt.exe. Use it in validation mode first, then convert only when validation succeeds.
Example validated sequence (run from an elevated Command Prompt):

• Validate the disk (replace X with disk number, usually 0):
  mbr2gpt.exe /validate /disk:X /allowFullOS
• If validate succeeds, convert:
  mbr2gpt.exe /convert /disk:X /allowFullOS

Important notes from Microsoft: mbr2gpt enforces strict preconditions (number of partitions, sufficient space for GPT headers, an active system partition, valid BCD). If validation fails, the conversion will not proceed. If BitLocker is present, you must suspend protection before running conversion and follow Microsoft’s guidance to recreate protectors after conversion.

3) Reboot to UEFI/BIOS and enable TPM​

Enter your firmware settings (common keys: DEL, F2, F10, F12, Esc or via Windows Advanced Startup → Troubleshoot → Advanced Options → UEFI Firmware Settings). Locate the TPM-related option and enable it. Vendor naming varies:

• Intel: Intel PTT (Platform Trust Technology)
• AMD: fTPM or AMD fTPM Switch
• Motherboards: TPM, Security Device Support, TPM‑SPI

After enabling, boot to Windows and verify tpm.msc shows the TPM is ready and Specification Version = 2.0.

4) Switch Boot Mode to UEFI and enable Secure Boot​

In UEFI firmware:

• Set Boot Mode to UEFI (disable CSM/Legacy).
• Locate Secure Boot under Boot, Security or Authentication menus.
• If necessary, set OS Type to Windows UEFI or restore factory default keys, then set Secure Boot = Enabled.

Save changes and reboot. Confirm in Windows:

• msinfo32 shows BIOS Mode = UEFI and Secure Boot State = On.
• Optionally run Confirm‑SecureBootUEFI in an elevated PowerShell.

---

Troubleshooting common problems and how to fix them​

Secure Boot option greyed out​

Common causes:

• Firmware still in Legacy/CSM mode — switch to UEFI after converting disk to GPT.
• Factory keys are missing/invalid — restore Default/Factory Secure Boot keys or set an admin password first on some firmwares.

BitLocker recovery prompt on boot after changes​

This is expected if BitLocker was not suspended; you’ll need the recovery key to proceed. Always suspend BitLocker before firmware or disk conversions and store recovery keys safely (Microsoft account, USB, printout).

Game or anti‑cheat still refuses to run after you enabled Secure Boot​

• Fully power off the PC (shut down, not sleep) and then power on — some platforms require a full power cycle to apply new Secure Boot variables.
• Try toggling Secure Boot mode: set to Custom, save & restart, then set back to Standard/Default. Community reports show this sometimes forces correct key enrollment.

Drivers or legacy kernel-mode components stop working​

Secure Boot enforces kernel-mode driver signature checks. Older unsigned drivers (special RAID/HBA drivers, legacy AV kernel agents) may be blocked. Update drivers to signed, vendor-supported versions or uninstall and replace legacy components.

Dual-boot and Linux users​

Enabling Secure Boot may prevent unsigned Linux kernels or custom GRUB builds from booting. Solutions:

• Use a signed shim (many distributions provide an official shim signed by a trusted CA).
• Enroll custom keys in firmware (complex and not recommended for casual users).
• If you depend on the Linux installation and a particular unsigned kernel, plan accordingly — toggling Secure Boot off for gaming will reintroduce the problems that anti‑cheat systems are trying to solve.

---

Special cases, edge‑conditions and enterprise considerations​

• Managed corporate devices: some IT departments ship with TPM or Secure Boot disabled by policy. Changing firmware on company equipment may violate policy — contact IT.
• Older hardware without UEFI/Secure Boot: replacement of the motherboard (or entire system) may be the only path to meet Windows 11 and new anti‑cheat requirements.
• Virtual machines: Secure Boot and TPM in VMs require hypervisor support and configuration (e.g., Hyper‑V virtual TPM).
• Large fleets and telemetry: enterprises may need to coordinate certificate rollouts and firmware updates; Microsoft has made tooling and guidance for managed rollouts of new Secure Boot certificate sets. Treat Secure Boot variable updates as a staged program with pilot rings and recovery plans.

---

The technical facts you can rely on (verified claims)​

• Windows 11 requires UEFI firmware with Secure Boot capability and TPM 2.0 for supported upgrades. This is part of Microsoft’s stated system requirements.
• mbr2gpt.exe is Microsoft’s supported tool to convert a system disk from MBR to GPT without data loss when strict preconditions are met; always validate before converting.
• Confirm‑SecureBootUEFI is the PowerShell cmdlet that returns True if Secure Boot is enabled and False if it is disabled (or an error / not supported on legacy BIOS). Use it for a clear programmatic check.
• Enabling TPM (Intel PTT or AMD fTPM) and Secure Boot can trigger BitLocker recovery if BitLocker is active and was not suspended. Suspend BitLocker before making firmware or partition changes.

If any of these claims have device-specific exceptions (firmware bugs, OEM idiosyncrasies), those are called out in vendor support notes and community troubleshooting threads — always consult your motherboard or PC maker’s documentation when menu names or behavior differ.

---

Practical step‑by‑step checklist (short, copyable)​

• Back up important data and export BitLocker recovery keys.
• Run msinfo32 → confirm BIOS Mode = UEFI and Secure Boot State.
• Run tpm.msc → confirm TPM present and Specification Version = 2.0.
• If the disk is MBR: run (admin) mbr2gpt.exe /validate /disk:0 /allowFullOS then /convert if validation passes.
• Reboot, enter UEFI firmware (DEL/F2/F10 or Advanced Startup → UEFI Firmware Settings).
• Enable TPM / Intel PTT / AMD fTPM, set Boot Mode = UEFI, disable CSM, enable Secure Boot, and restore factory keys if asked.
• Save and reboot. Verify msinfo32 shows Secure Boot State = On and Confirm‑SecureBootUEFI returns True.
• Re-enable BitLocker and update protectors if needed.

---

Risks, tradeoffs, and what to watch for​

• Data loss and unbootable states: The single biggest risk is making firmware/partition changes without backups. Converting partition schemes or switching to UEFI-first mode can break multi-boot or older OS setups. Always back up.
• BitLocker recovery lockouts: Failing to suspend BitLocker will typically force recovery. If you do not have recovery keys, you may be locked out. Always export/store keys offline.
• Driver and application compatibility: older kernel-mode drivers or low-level AV/backup tools may not be signed in a way Secure Boot accepts. Test critical applications after enabling Secure Boot.
• Accessibility and multi-boot: enforcement by games and DRM/anti‑cheat raises accessibility concerns (Linux users, Steam Deck, non‑standard setups). Evaluate whether enabling Secure Boot will block necessary workflows and plan accordingly.
• Unsupported bypasses: unofficial registry hacks and third‑party installers can bypass Windows 11 checks. These are unsupported and increase security and compatibility risk. When possible, use the supported path (firmware configuration + GPT conversion) or upgrade hardware.

---

Final notes and recommended next steps​

• If your goal is simply to get Windows 11 or to play a modern title requiring Secure Boot: start with msinfo32 and tpm.msc. If those show UEFI + Secure Boot On + TPM 2.0 + GPT, you’re likely ready. If any item fails, follow the validated sequence above.
• For gamers: check the game publisher’s official support pages for current enforcement plans (some titles have staged rollouts). Valve’s Steam client and game launchers are beginning to report Secure Boot/TPM state so you can preflight before buying or installing.
• For IT admins: treat Secure Boot and certificate rollouts as a staged program, inventory devices, pilot firmware updates, and maintain an updated BitLocker recovery plan. Microsoft and OEM guidance exists for managed deployment of new Secure Boot keys.

Secure Boot isn’t an optional toggle for the near future: it’s part of a platform-level trust model being relied upon by Microsoft, major game publishers, and anti‑cheat vendors. Enabling it correctly — with backups, TPM checks, and the right conversion steps — is a small amount of work that unlocks a wider compatibility path for Windows 11 and modern software while significantly reducing the attack surface of the earliest phases of the boot sequence.

---

Conclusion
Checking and enabling Secure Boot requires a few careful verification steps in Windows, a cautious preflight (backups and BitLocker suspension), possible non‑destructive conversion of the system disk to GPT with Microsoft’s mbr2gpt tool, and a firmware change to turn on Secure Boot and TPM (Intel PTT / AMD fTPM). Follow the sequence above, consult your PC or motherboard vendor documentation for model‑specific menus, and plan for recovery scenarios. Doing this once, correctly, positions your PC for a supported Windows 11 upgrade and for modern software that depends on a trusted boot environment.

---

Source: Neowin How to check if SecureBoot is enabled and how to turn it on