Blog

How to Enable and Troubleshoot Measured Boot Support on Windows 11: Step-by-Step Guide

Measured Boot is a security feature in Windows 11 that helps ensure your device boots securely by recording each step of the boot process. This helps detect any unauthorized changes or malware that could compromise your system. Enabling Measured Boot can enhance your PC’s security and provide better protection against rootkits and bootkits.

This guide will walk you through the process of enabling Measured Boot on Windows 11 in simple, easy-to-understand steps. Additionally, you will find troubleshooting tips if you encounter any issues while setting it up. No prior technical knowledge is needed to follow along.

By the end of this article, you will understand why Measured Boot is important, how to enable it, and what to do if it doesn’t work as expected. Let’s get started!

Make sure to follow each step carefully to ensure a smooth setup and secure boot experience on your PC.

Quick Note: Prerequisites Before Enabling Measured Boot

  • Windows 11 Version: Ensure your PC runs Windows 11 version 21H2 or later. Older versions may not fully support Measured Boot features.
  • TPM 2.0 Module: Your device must have a Trusted Platform Module (TPM) version 2.0 enabled in the BIOS/UEFI. TPM is essential for secure measurements during boot.
  • Secure Boot Enabled: Secure Boot should be enabled on your system. It works alongside Measured Boot to verify boot components.
  • Administrator Rights: You need administrator privileges to make changes related to Measured Boot settings.

How to Enable Measured Boot on Windows 11

Step 1: Check TPM and Secure Boot Status

Before enabling Measured Boot, verify that TPM and Secure Boot are active. Here’s how:

  1. Press Windows + R to open the Run dialog.
  2. Type tpm.msc and press Enter. This opens the TPM Management console.
  3. Under “Status,” make sure it says “The TPM is ready for use.” If not, you may need to enable TPM in your BIOS settings.
  4. Next, open System Information by typing msinfo32 in the Start menu search and pressing Enter.
  5. Look for Secure Boot State in the System Summary. It should be “On.” If it says “Off,” enable Secure Boot in your BIOS.

These checks ensure that your system supports the underlying security features required for Measured Boot.

Step 2: Enable Measured Boot via Group Policy Editor

The easiest way to enable Measured Boot is through the Group Policy Editor. Follow these steps:

  1. Press Windows + R, type gpedit.msc, and hit Enter to open the Group Policy Editor.
  2. Navigate to: Computer Configuration > Administrative Templates > System > Device Guard.
  3. Find the policy named “Turn On Measured Boot”.
  4. Double-click on it and select Enabled.
  5. Click Apply and then OK.
  6. Restart your PC to apply the changes.

Enabling this policy tells Windows to start measuring each boot phase and record the results for security verification.

Step 3: Verify Measured Boot is Active

Once your system restarts, confirm that Measured Boot is working:

  1. Open Event Viewer by searching for it in the Start menu.
  2. Navigate to Applications and Services Logs > Microsoft > Windows > CodeIntegrity > Operational.
  3. Look for events with the ID 307. These indicate that Measured Boot measurements were successfully recorded during startup.

If you see event 307, Measured Boot is active and functioning correctly.

Troubleshooting Measured Boot Issues

Step 1: Make Sure TPM and Secure Boot Are Enabled

If Measured Boot is not working, the first thing to check is whether TPM 2.0 and Secure Boot are enabled. Without these, Measured Boot cannot function properly.

Enter your BIOS or UEFI firmware settings during startup (usually by pressing F2, Del, or Esc) and verify that:

  • TPM is enabled and set to version 2.0.
  • Secure Boot is enabled.

Save any changes and restart your PC.

Step 2: Confirm Group Policy Settings

Open the Group Policy Editor and double-check that “Turn On Measured Boot” is set to Enabled. If needed, disable and re-enable this setting to refresh it.

Step 3: Update Device Drivers and Firmware

Outdated drivers or firmware can interfere with Measured Boot. Make sure your system BIOS/UEFI and device drivers are up to date. Visit your PC manufacturer’s website for the latest updates.

Step 4: Use Windows Security for Additional Checks

Go to Settings > Privacy & Security > Windows Security > Device Security. Under “Security processor,” check the status of TPM and related security features. This can provide insight if something is wrong.

Advanced Option: Enable Measured Boot with PowerShell

If the Group Policy Editor is unavailable (e.g., on Windows Home editions), you can enable Measured Boot using PowerShell:

Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetControlDeviceGuard" -Name "EnableMeasuredBoot" -Value 1

After running this command as an administrator, restart your PC for changes to take effect.

Frequently Asked Questions (FAQs)

What is the difference between Secure Boot and Measured Boot?

Secure Boot verifies the integrity of bootloaders before the OS loads, preventing unauthorized code. Measured Boot records measurements of each boot phase to a trusted platform module (TPM) for auditing and attestation purposes. Both work together to enhance boot security.

Can I enable Measured Boot on Windows 11 Home edition?

Windows 11 Home doesn’t include the Group Policy Editor, but you can enable Measured Boot using the PowerShell method described above or by manually editing the registry.

Does enabling Measured Boot affect system performance?

Measured Boot has minimal impact on performance because it only records boot measurements. It does not add significant overhead during normal system use.

How do I check if Measured Boot is working?

Check Event Viewer for event ID 307 under Microsoft-Windows-CodeIntegrity/Operational. This confirms that Measured Boot measurements are being logged.

Is TPM mandatory for Measured Boot?

Yes, TPM 2.0 is required because it securely stores boot measurements and enables trusted attestation.

When Nothing Works

If you have followed all steps and Measured Boot still isn’t working, consider the following final options:

  • Reset BIOS/UEFI to Default Settings: Sometimes misconfigured firmware settings can block TPM or Secure Boot.
  • Update Windows: Ensure your system has the latest Windows updates installed.
  • Contact Manufacturer Support: For device-specific TPM or BIOS issues, your PC manufacturer can provide tailored assistance.
  • Visit Microsoft’s Official Documentation: Measured Boot Documentation offers in-depth guidance.

Conclusion

Enabling Measured Boot on Windows 11 is a valuable step toward securing your device from boot-level attacks. By verifying TPM and Secure Boot support, enabling the policy, and confirming operation via Event Viewer, you can ensure your system boots safely and records its integrity.

Should issues arise, follow the troubleshooting steps from checking firmware settings to updating drivers and using PowerShell as an alternative. Remember, security features like Measured Boot work best when combined with other protections such as Secure Boot and TPM.

Taking these simple steps helps protect your device and data, giving you peace of mind in today’s security-conscious environment.

Leave a Reply