This applies to PCs, laptops, & tablets using AMD or Intel CPUs that are designed to run Windows or Linux. I expect it to be relevant to very few people -- I'm writing this because I've recently seen a spate of articles on this obscure topic that were grossly incomplete... I'm afraid that anyone following their advice risks at the least chaos, and at the worst a now useless device.
Type msinfo32 in the Run box and click OK -- this will bring up a window showing whether UEFI & Secure Boot is on.
Important considerations: You will probably notice no difference with your device set up to use UEFI booting. 2nd, Secure Boot is not infallible -- it's better on than off, but not nearly as bulletproof as Microsoft might claim, since keys have been leaked and default keys included in BIOS when they should have been deleted. Also, Microsoft's been working for years to change how Secure Boot keys are stored, with their new setup requiring a BIOS update that is not compatible with all BIOS, and will likely never come for devices that are no longer supported by the manufacturer. If Microsoft ever makes that new setup mandatory, which they say they will, you might have to disable Secure Boot to keep your device working. Furthermore, the Secure Boot key that's been used for years is expiring in 2026. There's a decent chance that older devices will not be able to update to whatever new key is released. While it's part of the stated requirements for Win11, Win11 will install & work fine on devices using Legacy/CSM booting -- you just need to use one of the tools like Rufus for installing Win11 on unsupported hardware. And if you're thinking of switching to UEFI booting you probably have older hardware, & so need to use something like Rufus or Flyoobe anyway.
That out of the way, I'll start with the BIOS, which very basically is the controller chip on the motherboard, the main circuit board that all the components are either mounted on or attached to. When you turn on the device the BIOS takes a quick inventory of the connected components, then finds the boot loader for the OS, e.g., Windows or Linux, on a hard disk and starts the OS, a process which is called booting. Any device made from around 2010 on uses a BIOS that conforms [more or less] to the UEFI standard. A BIOS that does not conform to that spec is said to use Legacy booting. And here it starts to get complicated... Very many BIOS conform to the UEFI spec or standard, but also offer a Legacy mode BIOS emulation that's usually referred to as CSM. If/when the BIOS has CSM enabled, it's normally possible to disable CSM, thereby enabling UEFI in the BIOS settings. And once that's accomplished Secure Boot can be enabled & activated -- that can require 2 separate steps. The Big issue is that once that's done, the currently installed OS Very often will not start/work, or in some cases, the BIOS may reenable CSM mode automatically.
Potential problems actually start before that can happen however, accessing and making changes to the BIOS using its setup menus. Usually, but not always, you access the BIOS setup menus by pressing a hot key repeatedly immediately after powering a device on from a powered off state. That hot key is often F2 or Delete, but could be any F key or Escape, or may not in fact exist. You *may* be able to get to the BIOS settings from the Recovery page in Settings [I've seen it there and also seen it missing], or alternatively have the option to boot to the Windows boot menu on the same page -- the menu that appears when Windows fails to start 3 or 4 times in a row -- which may or may not give you the option to go into the BIOS settings [again I've seen it both ways].
Once you are in the BIOS settings you may or may not be able to use a mouse, and will need at least a keyboard, which matters if you're working with a tablet. You'll have to find the menu tab, and likely submenus to disable CSM & enable UEFI, but note that there may be related settings as well, e.g., Fast Boot. Enabling Secure Boot, if desired, is a 2nd step.
Secure Boot works by comparing a stored key with the OS boot loader files. Depending on the BIOS -- every one is different -- you may have to select and enable the default key(s) before you can activate Secure Boot. And that may trigger a BIOS reset & restart. In that case, after the restart you'll have to make sure every other setting in the BIOS is correct, and there can be Very many. At the least an incorrect setting(s) can hurt performance, while at the worst, the devise simply will not work. Because of that you'll want to note or take pictures with your phone of those settings before the reset. To maybe add a bit of emphasis, you can Google those settings to find out what they mean and how they should be set, but you probably Will NOT find every setting that way.
OK, at this point, with the BIOS set to boot using UEFI, the easiest, best way to proceed is to reinstall the OS, wiping the system hard disk in the process. One reason for that approach is that legacy/CSM booting usually uses a hard disk with MBR partitioning, while UEFI is normally GPT. That is not engraved in stone by the specs, But, many BIOS will automatically go into CSM mode if the hard disk is MBR, or use UEFI if the disk is GPT. There's an older Windows tool to turn a hard disk using MBR into GPT, and it's something that's also often available in partitioning apps, and switching from MBR to GPT does work, with one sometimes important caveat -- it may not work for every partition on that hard disk. If/when it doesn't work, the original MBR partition has to be cloned to another hard disk/VHD [VHD = Virtual Hard Disk], converted, then cloned in place on the now GPT hard disk. Obviously partition image backups and added disk space are nice things to have in that case.
Another problem is the OS boot loader. First, be aware that not every Linux distro is UEFI or Secure Boot compatible. If the distro you use is compatible you may be able to switch to a UEFI &/or Secure Boot boot loader, but I'm not expert enough in Linux to tell you how. With Windows you've got one or two problems. UEFI booting requires the boot loader files on a separate FAT32 partition, while Legacy/CSM booting does not. If that partition is not there then it has to be created, with one partition shrunk to make room for it. It should be at least 100MB, but I've seen docs recommending 500MB -- this PC uses 100MB & is fine FWIW. Windows uses different boot loaders for Legacy/CSM & UEFI, and you can add either or both to that FAT32 partition using the Windows tool, BCDBoot. One big caveat is that it does not always work -- it'll create the boot loader files, but they may work, or not. The BCD boot loader is not well documented, with many keys and values in a registry hive that's normally not visible in Regedit. If/when the boot loader you create does not work, it **may** work to use the BCDBoot app from another version of Windows. It also **may** work to install a fresh copy of Windows with the BIOS set to UEFI & optionally Secure Boot, wiping the hard disk in the process, then once you're sure Windows starts and runs OK, replace the Windows partition with a restored backup of your old Windows partition. [I've had both methods both work & fail -- AFAIK it's a coin flip.]
And a final related note, if/when you're installing a fresh copy of Windows you'll likely want to boot to a USB stick with Windows setup files on it. You may be able to select booting from that USB stick or drive using Windows boot menu -- the one that comes up after 3-4 unsuccessful attempts to start Windows -- or your device might let you use a hot key to bring up a boot drive menu, which tells the BIOS where to look first for a boot loader. That hot key might be any of the F keys, & you may be able to find it by Googling or looking in the manual. If you can't get to that menu, if it isn't offered, then you'll have to go into the BIOS settings. If you're lucky there will be a boot order override menu that you can set to boot from a USB drive/stick just once. If not, look for the boot drive order menu, selecting the USB stick/drive there. If you do that, you *might* find afterward that the device tries to boot to any USB stick/drive that's inserted when you turn the device on, and if that's the case, when you're done you might want to set that menu order to have the drive with Windows boot loader first. And there's an additional wrinkle once Windows is set up to boot using UEFI... that BIOS menu with the boot drive order may only show the Windows boot loader now, with every other drive missing. In that case it usually works to reset the BIOS, which should be an option on the menu page where you save new settings and restart, after which the BIOS should show ever attached drive. When you reset the BIOS however you need to check every setting in the BIOS to make sure it's correct -- as above, an incorrect setting or settings may hurt performance, or worse case, render the device inoperable.