Secure Boot is a security standard built into modern computer firmware (UEFI) that checks whether your operating system and boot files have been digitally signed by a trusted manufacturer. When you power on your device, Secure Boot verifies these signatures before allowing anything to run. If a file fails verification, the system won't boot.
The feature combats bootkit malware and rootkits, which historically exploited the boot process to gain deep system access before your antivirus could intervene. By locking down this early stage, Secure Boot closes a significant attack vector.
How it affects you: Secure Boot is standard on Windows 11 systems and enabled by default on most modern devices. For Linux users and those installing alternative operating systems, Secure Boot can complicate installation, since only signed bootloaders will run. You may need to temporarily disable it or enrol custom keys if you're using specialist software.
Common misconceptions: Secure Boot is not encryption, nor does it protect your data once the system boots. It's purely a gatekeeper for the startup process. It also won't prevent you from running malicious software you deliberately install after boot.
When to care: If you're buying a new laptop or desktop, check whether Secure Boot is enabled. If you're building a custom Linux system or using specialist industrial software, you may need to manage Secure Boot keys or temporarily disable it. Most users benefit from leaving it on.
You typically configure Secure Boot in your device's UEFI settings (often accessed by pressing Delete, F2, or F10 during startup, depending on manufacturer).