Secure Boot ensures all software involved in the boot up sequence is trusted and uncompromised by malware, before letting the operating system start. If Secure Boot detects an untrustworthy software signature, instead of booting up, it starts system recovery. This prevents attacks on important operating system files, that would otherwise make it easy for malware to bypass the dectection of antivirus software.
We can enable Secure Boot easily with a couple commands and a reboot. We'll be entering the BIOS to make some of the changes as well.
If are aren't reading this on your phone, now is the time to switch over, because we are going to be rebooting the computer into Advanced Startup.
To do this, open Settings and go to the "Update & Security" section. From there, click the "Recovery" tab on the left sidebar. In here, click "Restart Now" under the "Advanced startup" header.
Once the computer is restarted into Advanced startup, click on "Troubleshoot", then "Advanced Options", and then "Command Prompt". At this point, the computer may restart again and you will need to log in with your username and password.
We will now use Microsoft's built-in MBR to UEFI converter. Unlike methods of the past, this tool is non-destructive and will give you warnings if it's unable to complete. With Command Prompt open, run this command:
mbr2gpt /validate
This will check to be sure we're able to continue and change the disk type to UEFI. The output should look somthing like the screenshot below:
If that completed successfully, we can run the final command to convert the drive:
mbr2gpt /convert
Right now, your BOIS is either in one of these states: UEFI/Legacy or just Legacy mode. If it's in UEFI/Legacy mode, it's possible to boot into Windows at this point, but we will still need to enable secure boot. If it's in Legacy mode, we need to change it to UEFI mode first.
To boot into your computer's BIOS, restart the computer and rapidly press Delete, or f12, or f2. Of those keys don't work, try some other f-keys until it boots into BIOS.
Once it's in BIOS, look around the screen and see if there is a search box. If there is, type in UEFI or Legacy to go straight to the setting we need to change. Otherwise, look for the BIOS's "Boot" section to find the setting.
Change the setting so it boots in UEFI mode.
Now that the computer can boot again, and the prerequisites are met, we can finally enable secure boot.
Staying in the boot section of the BIOS, look for the secure boot setting. It simply needs to be switched from disabled to enabled.
Once that's completed, you will need to save the settings and reboot. There will be a section in the BIOS for exiting, and within that section, there will be the option along the lines of "Save and Reboot" or "Save and Exit".
With your boot drive converted to UEFI and Secure Boot enabled, you are one step closer to meeting the towering heights of Windows 11 system requirements. Let me know how it goes and otherwise, thanks for reading!