Check if Secure Boot is active from CMD in Windows

Worldbytes » Windows » How to check if Secure Boot is enabled from CMD and PowerShell

Secure Boot prevents unauthorized software from running during boot. Boot
It can be easily verified from Windows without entering the BIOS
The Confirm-SecureBootUEFI cmdlet displays a Boolean result
It is mandatory to have it activated to install Windows 11

El Secure Boot mode o Secure Boot It is a security feature built into systems using UEFI (Unified Extensible Firmware Interface), designed to ensure that the computer boots using only trusted software. It's especially important in environments where the security of the operating system and its components must be guaranteed from the moment the computer is turned on.

In many situations, such as when you want to install an alternative operating system or check if your computer is ready for standards like those required by Windows 11, you may need to know if Secure Boot is enabled. This can be easily done. from the line of commands in Windows using tools like msinfo32 or the cmdlet of PowerShell Confirm-SecureBootUEFI.

What is Secure Boot and what is it for?

Secure Boot is a security mechanism present in UEFI systems that prevents unsigned or uncertified software from running during the boot process. This prevents, for example, the loading of malware or any type of software that does not come from a source verified by the OEM manufacturer.

This system was introduced by Microsoft with Windows 8 and has been a fundamental part of security improvements in later versions, including Windows 10 and Windows 11. When enabled, the UEFI firmware verifies that all driver digital signatures, OS and boot software are valid before allowing their execution.

Check if Secure Boot is enabled from Windows

Instead of restarting the computer and directly accessing the BIOS or UEFI, Windows allows you to check whether Secure Boot is enabled using built-in tools. This greatly simplifies the process for users who are inexperienced in manipulating their computer's firmware settings.

How to fix the "format required" error when connecting an external drive in Windows

Option 1: System Information (msinfo32)

press Windows + R to open the run box.
Write msinfo32 and press Enter.
In the window that appears, find the field Secure Boot State.

This field will display one of the following values:

Able: The system has Secure Boot enabled.
Disabled: Secure Boot is inactive, but available.
Not compatible: : Your device's firmware does not support this feature.

Option 2: Using PowerShell with Confirm-SecureBootUEFI

For more advanced users, you can open a PowerShell console with administrator privileges and run the following command:

Confirm-SecureBootUEFI

This cmdlet returns:

True: Secure Boot is enabled.
False: Secure Boot is disabled.
Compatibility Error: Indicates that the system does not support UEFI or Secure Boot.

This method is especially useful for audit scripts or enterprise environments. where you want to automate the security status check of multiple devices.

Common errors when running Confirm-SecureBootUEFI

When you run the cmdlet you may get an error like «Cmdlet not supported on this platform»This could be due to two factors:

Your BIOS is set to Legacy mode instead of UEFI.
Your firmware does not have Secure Boot available or active., something common in older or customized equipment.

Importance of Secure Boot in Windows 11

One of the mandatory requirements for install Windows 11 is to have Secure Boot enabled, along with TPM 2.0. This decision by Microsoft responds to the need to establish stronger security foundations for new operating systems. Secure Boot works in conjunction with other technologies such as BitLocker and Windows Hello to provide a more secure environment from the start.

If you're unsure whether your computer can run Windows 11, checking the status of Secure Boot is an essential step during diagnostics. You can learn more about how to perform this process. accessing the BIOS or UEFI.

Manual review from BIOS or UEFI

If after using the above methods you still have questions or need enable/disable Secure Boot, you will need to directly access your computer's BIOS/UEFI:

Restart your computer and press the corresponding key to access the BIOS (usually F2, Del or Esc).
Once inside, look for the tab Security o Boat.
There you will find the option Secure Boot. You will be able to change its status between Enabled y Disabled.

How to stop MsMpEng.exe from using too much CPU on your PC

Note that Not all manufacturers allow you to modify this setting.In some cases, the option may be blocked or unavailable if the system does not meet certain requirements.

Compatibility and errors in business environments

In environments like Microsoft Intune, you may find that devices appear as not compliant with security requirements even though Secure Boot is enabled. This is especially true when working with devices with TPM 1.2, as many policies require TPM 2.0, which requires full UEFI support to function properly. If you want to better understand the differences between these TPM modules, review The differences between TPM 1.2 and TPM 2.0.

When a Mobile Device Management (MDM) policy is configured to require Secure Boot and TPM 2.0, computers that do not meet either of these requirements may be displayed as "Not compatible"To avoid confusion, it is advisable to properly audit the TPM version and firmware configuration, ensuring that:

TPM is enabled and visible from the console tpm.msc.
BIOS mode is in UEFI, which can be verified with Reviewing the Windows 11 installation.
The PCR7 configuration is linked to volume protection.

Check additional protections

To check if the system disk is protected by PCR7 (Platform Configuration Register), you can run the following command from PowerShell:

manage-bde -protectors -get $env:systemdrive

This command displays the BitLocker protectors, and if it says it's associated with PCR7, it means that Secure Boot and other security measures are working correctly.

License types and relationship with Secure Boot

Windows OEM licenses are usually tied to the hardware of the equipment and its firmware. This means that If your device is OEM, it most likely already has Secure Boot enabled. from the factory. You can check your license type using the following commands in CMD or PowerShell:

slmgr /dli: displays the license type.
slmgr /dlv: offers deeper details.
slmgr /upk: removes the license.

Easy ways to change Twitter's "sensitive content" settings?

There is also the license RETAIL, which is activated with your Microsoft account, and is not restricted to hardware.

Knowing this information is also helpful in understanding whether your system is designed to comply with security standards like Secure Boot. For more information on how to check the status of Secure Boot, you can visit this page.

Knowing whether Secure Boot is active is critical, as it facilitates system protection from startup and is a requirement for many platforms and security configurations. Using the built-in Windows tools or accessing the BIOS directly ensures an efficient and secure check of this feature's status.

how to enter bios or uefi with windows 11-5

How to access BIOS or UEFI on your Windows 11 computer

Isaac

Passionate writer about the world of bytes and technology in general. I love sharing my knowledge through writing, and that's what I'll do on this blog, show you all the most interesting things about gadgets, software, hardware, tech trends, and more. My goal is to help you navigate the digital world in a simple and entertaining way.