Skip to main content

How to Check if Secure Boot is Enabled in Batch Script

Secure Boot is a fundamental security standard developed by the PC industry to ensure that a device boots using only software that is trusted by the Original Equipment Manufacturer (OEM). By preventing the loading of unauthorized "malicious" drivers or operating systems during the startup process, Secure Boot protects against rootkits and other pre-boot attacks. For IT administrators and security auditors, verifying Secure Boot status is a mandatory check for system hardening.

This guide explains how to use Batch and PowerShell to audit your hardware's boot security.

Why Validate Secure Boot?

  • Ransomware and Rootkit Defense: Ensuring that the system's "Chain of Trust" is unbroken from the moment the power button is pressed.
  • Operating System Requirements: Verifying compatibility for Windows 11, which requires Secure Boot to be supported and enabled for installation.
  • Compliance Monitoring: Meeting hardware security standards for regulated industries (e.g., government, healthcare, and finance).
UEFI vs. BIOS

Secure Boot is a feature of UEFI (Unified Extensible Firmware Interface). If your computer is running in "Legacy BIOS" or "CSM" mode, Secure Boot is unavailable and will report as disabled or unsupported.

Method 1: Using the Registry (Fastest)

Windows keeps a record of the current Secure Boot state in the registry. This is the quickest way to check without launching external tools.

@echo off
setlocal

set "REG_PATH=HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecureBoot\State"

echo [PROCESS] Querying Secure Boot Registry State...

set "SB_STATE="
for /f "tokens=3" %%a in ('reg query "%REG_PATH%" /v UEFISecureBootEnabled 2^>nul ^| findstr /i "UEFISecureBootEnabled"') do set "SB_STATE=%%a"

if not defined SB_STATE (
    echo [INFO] Secure Boot registry keys not found.
    echo [NOTE] The system may be running in Legacy BIOS mode.
) else if "%SB_STATE%"=="0x1" (
    echo [SUCCESS] Secure Boot is ENABLED.
) else (
    echo [WARNING] Secure Boot is DISABLED ^(registry value: %SB_STATE%^).
)
pause

Method 2: Using the PowerShell Bridge (Most Reliable)

The native PowerShell cmdlet Confirm-SecureBootUEFI provides a definitive answer by directly communicating with the UEFI firmware.

@echo off
setlocal

echo [PROCESS] Confirming Secure Boot via UEFI Firmware...

:: Confirm-SecureBootUEFI returns True/False, or throws an error on Legacy BIOS
set "SB_RESULT="
for /f "tokens=*" %%r in ('powershell -NoProfile -Command "try { Confirm-SecureBootUEFI } catch { Write-Host 'UNSUPPORTED' }" 2^>nul') do set "SB_RESULT=%%r"

if /i "%SB_RESULT%"=="True" (
    echo [SUCCESS] Secure Boot is verified by UEFI firmware.
) else if /i "%SB_RESULT%"=="False" (
    echo [WARNING] Secure Boot is supported but currently DISABLED.
    echo [HELP] Enable it in your BIOS/UEFI settings.
) else (
    echo [INFO] Secure Boot is NOT supported on this hardware.
    echo [NOTE] The system may be running in Legacy BIOS/CSM mode.
)
pause

Creating a Hardware Readiness Auditor

A professional script checks both the Secure Boot state and the general "Device Guard" status to provide a complete platform health report.

@echo off
setlocal

echo ============================================================
echo   Hardware Security ^& Secure Boot Auditor
echo ============================================================
echo.

:: 1. Check Registry State
echo [CHECK 1] Secure Boot Registry:
set "SB_REG="
for /f "tokens=3" %%a in ('reg query "HKLM\System\CurrentControlSet\Control\SecureBoot\State" /v UEFISecureBootEnabled 2^>nul ^| findstr /i "UEFISecureBootEnabled"') do set "SB_REG=%%a"

if "%SB_REG%"=="0x1" (
    echo   [PASS] Registry reports Secure Boot ENABLED.
) else if defined SB_REG (
    echo   [WARN] Registry reports Secure Boot DISABLED.
) else (
    echo   [INFO] Secure Boot registry key not found (^Legacy BIOS?^).
)

:: 2. Check UEFI Firmware Bridge
echo.
echo [CHECK 2] Firmware Verification:
set "SB_FW="
for /f "tokens=*" %%r in ('powershell -NoProfile -Command "try { Confirm-SecureBootUEFI } catch { Write-Host 'UNSUPPORTED' }" 2^>nul') do set "SB_FW=%%r"

if /i "%SB_FW%"=="True" (
    echo   [PASS] UEFI firmware confirms Secure Boot is ACTIVE.
) else if /i "%SB_FW%"=="False" (
    echo   [WARN] Firmware reports Secure Boot is DISABLED.
) else (
    echo   [INFO] UEFI Secure Boot not supported on this hardware.
)

:: 3. Summary
echo.
echo ============================================================
if /i "%SB_FW%"=="True" (
    echo   OVERALL: System boot chain is SECURED.
) else if "%SB_REG%"=="0x1" if /i not "%SB_FW%"=="True" (
    echo   OVERALL: Registry and firmware DISAGREE.
    echo   [NOTE] Trust the firmware result. Registry may be stale.
) else (
    echo   OVERALL: Secure Boot is NOT active.
    echo   [ACTION] Enable Secure Boot in BIOS/UEFI settings.
)
echo ============================================================
pause

Common Pitfalls and How to Avoid Them

Administrative Rights

Querying the SecureBoot\State registry key or running the Confirm-SecureBootUEFI cmdlet requires Administrator privileges for a guaranteed accurate result.

OS-Level vs. Hardware-Level

Sometimes the OS thinks Secure Boot is on, but it isn't actually being enforced by the firmware.

SEO and UX Tip

If Method 1 (Registry) and Method 2 (PowerShell) disagree, always trust the PowerShell result. The registry only reflects what the OS was told during the last boot, while the PowerShell command checks the actual communication bridge to the hardware.

Best Practices for Boot Security

  1. Check for Windows 11 Compatibility: Secure Boot is a hard requirement for Windows 11. Use your script to audit your fleet before upgrading.
  2. Verify TPM Status: Secure Boot works best in conjunction with a Trusted Platform Module (TPM). Check both for a complete "Trusted Boot" audit.
  3. BIOS Password: Advise users that Secure Boot is only truly secure if the BIOS/UEFI is password-protected, preventing unauthorized users from simply turning the feature off in the settings.
Dual Booting

Note that enabling Secure Boot may prevent some "Unsigned" Linux distributions or older operating systems from booting on the same machine.

Conclusion

Checking if Secure Boot is enabled via Batch script is a critical step in verifying the security posture and hardware readiness of your Windows infrastructure. By accurately identifying the boot state via the registry and firmware-level PowerShell queries, you can ensure that your machines are starting in a verified and trusted environment. This professional approach to hardware auditing reduces the risk of pre-boot attacks, simplifies OS upgrade planning, and ensures that your systems remain secure from the very first line of code executed during the startup process.

Table of Contents