禁用安全启动(Disabling Secure Boot)会解锁Windows PC(Windows PCs)上的一些高级功能。只有禁用安全启动(Secure Boot)的计算机才能安装Linux、从不受信任的设备启动并使用某些售后显卡。但是,您必须(重新)启用安全启动(Secure Boot)才能将您的 PC 升级到Windows 11。
如果您计划从 USB 驱动器全新安装 Windows 11,(clean install Windows 11 from a USB drive)则无需担心启用安全启动(Secure Boot)。但这是您在不丢失任何数据的情况下升级到 Windows 11(upgrade to Windows 11 without losing any data)必须做的事情。本教程介绍了验证计算机安全启动(Secure Boot)状态的步骤。此外,我们将向您展示如何为Windows 11安装
启用安全启动。(Secure Boot)
什么是 Windows 中的安全启动?
Secure Boot是由一组计算机制造商设计的安全标准。安全功能写入您 PC 的固件中,以确保您的设备安全。固件或Basic Input/Output System( BIOS ) 是在操作系统之前启动的硬件组件。当您打开计算机时,安全启动(Secure Boot)会检查您的设备制造商不信任的程序和恶意软件。
例如,假设您的 PC 感染了针对您计算机的引导加载程序(启动Windows的软件)的引导工具包。Secure Boot检测并关闭 bootkit,确保您的计算机使用真实的引导加载程序文件启动。
为了在Windows 11(Windows 11)中获得更好的安全性,微软(Microsoft)将操作系统设计为在支持安全启动(Secure Boot)的计算机上运行。安全启动(Secure Boot)要求是有充分理由的,但某些计算机默认情况下没有启用该功能。幸运的是,启用安全启动(Secure Boot)并不棘手。
使用“PC 健康检查”验证(Verify)Windows 11 资格
在启用安全启动(Secure Boot)之前,请使用 PC Health Check应用程序确认您的计算机可以运行Windows 11。该应用程序全面诊断您的 PC 硬件并报告安全启动(Secure Boot)和其他系统组件的问题。
安装 PC Health Check 应用程序(Install the PC Health Check app)并在“ Introducing Windows 11”部分
中选择立即检查。(Check)
如果您的设备上禁用了安全启动(Secure Boot),PC健康检查(Health Check)应用程序和 Windows 11设置(Set Up)实用程序将显示“此 PC 必须支持安全启动(Secure Boot)”错误。以下部分包含有关验证计算机安全启动(Secure Boot)状态
的分步说明。
受信任的平台模块(Trusted Platform Module)版本 2.0 ( TPM 2.0 ) 是您必须启用才能运行Windows 11的另一个安全设置。如果 PC健康检查(Health Check)应用显示其他与处理器相关的错误,则您的计算机可能不满足TPM系统要求。在 PC 的 BIOS 设置中启用 TPM,(Enable TPM in your PC’s BIOS settings)然后再次尝试安装Windows 11。
如何在Windows中检查(Windows)安全启动状态(Secure Boot Status)
使用Microsoft 系统信息(Microsoft System Information)工具验证系统的安全启动(Secure Boot)状态。
- 按Windows键 + R,在对话框中键入 msinfo32,然后选择确定。
- 选择侧边栏上的 System Summary(Select System Summary),在窗口右侧找到“BIOS Mode”,并确保它读取UEFI。
- 向下滚动(Scroll)列表并找到Secure Boot State。
如果找不到“ Secure Boot State ”,请按Ctrl + F,在搜索栏中键入安全启动,然后按Enter。
如果值为“关闭”,则您的 PC 上的安全启动已禁用。(” Secure Boot)继续下一节以了解如何启用安全启动(Secure Boot)。之后(Afterward),启用安全启动(Secure Boot),您现在应该能够将您的 PC 升级到Windows 11。
注意:如果您的 PC 使用Legacy BIOS,您可以随时切换到UEFI(统一可扩展固件接口(Unified Extensible Firmware Interface))。MBR2GPT(到GUID 分区表(GUID Partition Table)的主引导记录)工具允许您在(Master Boot Record)Legacy BIOS和UEFI之间切换,而无需重新安装Windows。有关详细说明,请参阅有关将 Windows 10 BIOS 更改为 UEFI 模式的教程(tutorial on changing Windows 10 BIOS to UEFI mode)。
如何在Windows中启用(Windows)安全启动(Secure Boot)
如果您的计算机的安全启动(Secure Boot)功能被禁用,以下是重新打开它的方法。
- 打开电脑的设置(Settings),进入> Updates和Security > Recovery,然后选择立即重启(Restart)。
- 等待您的 PC启动进入系统恢复菜单(boot into the system recovery menu)。选择疑难解答以继续。
- (Choose Advanced)在下一页上
选择高级选项。
- 选择 UEFI 固件设置。
注意:如果您在页面上没有找到“UEFI 固件设置”,则您的 PC 主板没有TPM芯片。这意味着您的计算机无法运行 Windows 11。
- 选择重新启动按钮。
等待(Wait)您的计算机启动BIOS设置实用程序。BIOS设置页面的界面会因电脑主板的型号或制造商而异。
- 前往“安全”、“身份验证”或“引导”部分。找到“安全启动模式”(Secure Boot Mode)或“安全启动(Secure Boot)”选项并确保它已“启用”。
如果禁用,请使用键盘上的箭头键导航到Secure Boot,然后按Enter。选择启用(Select Enabled)并再次按Enter。
- 转到Exit选项卡并选择Exit Saving Changes。在确认中选择 Yes(Select Yes)并按Enter。
等待(Wait)您的计算机重新启动并尝试再次升级到Windows 11。您还应该使用系统信息(System Information)工具来确认您的 PC 的安全启动(Secure Boot)状态现在处于打开状态。
无法启用安全启动(Boot)?试试(Try)这些步骤
如果您的计算机不允许您启用安全启动(Secure Boot),请将 BIOS 重置为默认设置(reset the BIOS to default settings),然后重试。有时,您可能需要重置您的 PC(不删除文件)(reset your PC (without deleting files))以重新启用安全启动(Secure Boot)。如果这些故障排除步骤失败,请联系您的 PC 制造商以获得支持。
How to Enable Secure Boot for Windows 11
Disabling Secure Boot unlocks some advanced capabilities on Windows PCs. Only Secure Boot-disabled computers can install Linux, boot from non-trusted devices, and use certain aftermarket graphics cards. However, you must (re)enable Secure Boot to upgrade your PC to Windows 11.
You need not worry about enabling Secure Boot if you plan to clean install Windows 11 from a USB drive. But it’s something you must do to upgrade to Windows 11 without losing any data. This tutorial covers steps to verify your computer’s Secure Boot status. Additionally, we’ll show you how to enable Secure Boot for Windows 11 installation.
What Is Secure Boot in Windows?
Secure Boot is a security standard designed by a group of computer manufacturers. The security feature is written in your PC’s firmware to keep your device safe. The firmware or Basic Input/Output System (BIOS) is a hardware component that boots before the operating system. When you turn on your computer, Secure Boot checks for programs and malware not trusted by your device’s manufacturer.
For example, say your PC is infected with a bootkit targeting your computer’s bootloader (the software that starts Windows). Secure Boot detects and shuts down the bootkit, ensuring your computer boots with an authentic bootloader file.
For better security in Windows 11, Microsoft designed the operating system to work in computers that support Secure Boot. The Secure Boot requirement is for good reasons, but some computers don’t have the feature enabled by default. Luckily, enabling Secure Boot isn’t tricky.
Verify Windows 11 Eligibility Using “PC Health Check”
Before enabling Secure Boot, use the PC Health Check app to confirm that your computer can run Windows 11. The app diagnoses your PC’s hardware comprehensively and reports issues with Secure Boot and other system components.
Install the PC Health Check app and select Check now in the “Introducing Windows 11” section.
The PC Health Check app and Windows 11 Set Up utility will display a “This PC must support Secure Boot” error if Secure Boot is disabled on your device. The following section has step-by-step instructions on verifying your computer’s Secure Boot status.
Trusted Platform Module version 2.0 (TPM 2.0) is another security setting you must enable to run Windows 11. If the PC Health Check app displays other processor-related errors, your computer probably doesn’t satisfy the TPM system requirement. Enable TPM in your PC’s BIOS settings and try installing Windows 11 again.
How to Check Secure Boot Status in Windows
Use the Microsoft System Information tool to verify your system’s Secure Boot status.
- Press Windows key + R, type msinfo32 in the dialog box, and select OK.
- Select System Summary on the sidebar, locate “BIOS Mode” on the right side of the window, and ensure it reads UEFI.
- Scroll down the list and locate Secure Boot State.
If you can’t find “Secure Boot State,” press Ctrl + F, type secure boot in the search bar, and press Enter.
If the value is “Off,” Secure Boot is disabled on your PC. Proceed to the next section to learn how to enable Secure Boot. Afterward, enable Secure Boot, and you should now be able to upgrade your PC to Windows 11.
Note: If your PC uses Legacy BIOS, you can always switch to UEFI (Unified Extensible Firmware Interface). The MBR2GPT (Master Boot Record to GUID Partition Table) tool lets you switch between Legacy BIOS and UEFI without reinstalling Windows. Refer to this tutorial on changing Windows 10 BIOS to UEFI mode for detailed instructions.
How to Enable Secure Boot in Windows
If your computer’s Secure Boot feature is disabled, here’s how to turn it back on.
- Open your computer’s Settings, go to > Updates & Security > Recovery, and select Restart Now.
- Wait for your PC to boot into the system recovery menu. Select Troubleshoot to proceed.
- Choose Advanced options on the next page.
- Select UEFI Firmware Settings.
Note: If you don’t find “UEFI Firmware Settings” on the page, your PC’s motherboard doesn’t have a TPM chip. That means your computer can’t run Windows 11.
- Select the Restart button.
Wait for your computer to boot the BIOS setup utility. The interface of the BIOS settings page will vary depending on the model or manufacturer of your computer’s motherboard.
- Head to the “Security,” “Authentication,” or ”Boot” section. Locate the Secure Boot Mode or Secure Boot option and ensure it’s “Enabled.”
If disabled, use the arrow keys on your keyboard to navigate to Secure Boot and press Enter. Select Enabled and press Enter again.
- Go to the Exit tab and select Exit Saving Changes. Select Yes on the confirmation and press Enter.
Wait for your computer to reboot and try upgrading to Windows 11 again. You should also use the System Information tool to confirm that your PC’s Secure Boot state is now on.
Can’t Enable Secure Boot? Try These Steps
If your computer doesn’t let you enable Secure Boot, reset the BIOS to default settings, and try again. Sometimes, you may need to reset your PC (without deleting files) to re-enable Secure Boot. Contact your PC manufacturer for support if these troubleshooting steps prove abortive.