Seeing “Secure Boot: Enabled” in your BIOS but “Secure Boot: Not Active” in Windows, firmware settings, or a system information tool can be confusing. The wording suggests that Secure Boot is turned on, yet the platform is not actually enforcing it. This usually happens when one or more required conditions are missing, such as UEFI boot mode, installed Secure Boot keys, a compatible operating system installation, or the correct firmware state.

TLDR: Secure Boot can be enabled in BIOS while still being inactive if your PC is not booting in full UEFI mode, Secure Boot keys are not installed, or the operating system was installed using Legacy or CSM boot. To fix it, confirm that the system disk uses GPT, disable Legacy or CSM mode, install default Secure Boot keys, and then enable Secure Boot again. Always back up important data before changing boot mode or disk configuration. If BitLocker is enabled, suspend it first to avoid recovery key prompts.

What “Enabled but Not Active” Actually Means

Secure Boot is a UEFI firmware security feature designed to prevent unauthorized bootloaders, rootkits, and low-level malware from starting before the operating system. When working correctly, it verifies that the boot software is signed by trusted authorities stored in the firmware’s Secure Boot key database.

The phrase “enabled but not active” usually means the BIOS or UEFI setup option has been switched on, but the system has not met the technical requirements needed for Secure Boot to operate. Think of it as a security system that has been armed in the menu, but cannot actually lock the doors because part of the mechanism is missing or misconfigured.

Common reasons include:

• Legacy BIOS or CSM mode is still enabled.
• The boot drive uses MBR instead of GPT.
• Secure Boot keys are missing, cleared, or not installed.
• The operating system was installed in Legacy mode.
• The firmware is in Setup Mode rather than User Mode.
• A BIOS update reset or changed Secure Boot settings.

Before making changes, it is important to understand that Secure Boot is not just a simple on and off switch. It depends on the relationship between the firmware, disk partition style, bootloader, and operating system.

Why Secure Boot Matters

Secure Boot helps protect the most sensitive phase of your computer’s startup process. Malware that loads before the operating system can be extremely difficult to detect and remove because it can hide beneath normal antivirus tools. By allowing only trusted boot components to run, Secure Boot helps reduce the risk of bootkits and unauthorized firmware-level tampering.

Secure Boot is also required or strongly recommended for certain modern features and operating system standards. For example, Windows 11 checks for Secure Boot capability, and many enterprise environments require it as part of compliance policies. While a computer may still function without active Secure Boot, leaving it inactive can weaken the system’s security posture.

Step 1: Check Secure Boot Status in Windows

Before changing BIOS settings, confirm what Windows is reporting. This helps you identify whether the issue is with firmware configuration, boot mode, or key management.

1. Press Windows + R.
2. Type msinfo32 and press Enter.
3. In the System Information window, look for:
   • BIOS Mode
   • Secure Boot State

If BIOS Mode says UEFI, your system is using the correct boot mode. If it says Legacy, Secure Boot cannot become active until the system is converted to UEFI boot.

If Secure Boot State says Off, Unsupported, or Not Active, continue with the steps below. The exact wording depends on the firmware vendor and Windows version.

Step 2: Confirm the Disk Uses GPT

Secure Boot requires UEFI boot, and UEFI normally requires the system drive to use the GPT partition style. If Windows was installed in Legacy BIOS mode, the disk may be using MBR. In that case, simply enabling Secure Boot in BIOS will not make it active.

To check the partition style:

1. Right-click the Start button.
2. Select Disk Management.
3. Right-click the system disk, usually Disk 0.
4. Select Properties.
5. Open the Volumes tab.
6. Check Partition style.

If it says GUID Partition Table (GPT), the disk is already suitable for UEFI Secure Boot. If it says Master Boot Record (MBR), you will need to convert it before Secure Boot can be active.

Important: Converting a system disk incorrectly can make the computer unbootable. Back up your files first. If BitLocker is enabled, suspend BitLocker and make sure you have your recovery key saved in a safe place.

Step 3: Convert MBR to GPT if Needed

Windows includes a Microsoft tool called MBR2GPT that can convert a compatible system disk from MBR to GPT without deleting data. However, it should still be treated as a serious operation. A failed conversion, power loss, or unusual partition layout can cause boot problems.

To validate the disk first, open Command Prompt as Administrator and run:

mbr2gpt /validate /allowFullOS

If validation succeeds, run:

mbr2gpt /convert /allowFullOS

After conversion, restart the computer and enter BIOS or UEFI setup. You must then switch boot mode from Legacy or CSM to UEFI. If you do not change the firmware boot mode after converting, the computer may not start properly.

Step 4: Enter BIOS or UEFI Setup

To activate Secure Boot, you need to enter the firmware setup screen. The key varies by manufacturer, but common keys include Delete, F2, F10, F12, or Esc. Press the key repeatedly immediately after powering on the computer.

You can also enter firmware settings from Windows:

1. Open Settings.
2. Go to System, then Recovery.
3. Under Advanced startup, select Restart now.
4. Choose Troubleshoot.
5. Select Advanced options.
6. Choose UEFI Firmware Settings.

Once inside BIOS, use the keyboard or mouse depending on your motherboard interface. Be careful not to change unrelated settings unless you understand their purpose.

Step 5: Disable Legacy Boot or CSM

One of the most common reasons Secure Boot remains inactive is that CSM, also called Compatibility Support Module, is still enabled. CSM allows the computer to boot older operating systems and devices using Legacy BIOS behavior. Secure Boot cannot operate properly while the system is relying on Legacy boot compatibility.

Look for settings such as:

• CSM Support
• Legacy Boot
• Boot Mode
• UEFI/Legacy Boot
• Launch CSM

Set the boot mode to UEFI Only and disable CSM or Legacy boot. On some systems, Secure Boot options are hidden until CSM is disabled. On others, the Secure Boot setting may be visible but cannot become active until the next reboot after disabling CSM.

If your system fails to boot after disabling CSM, it likely means Windows was installed in Legacy mode or the disk is still MBR. Re-enable CSM temporarily, boot back into Windows, and verify the disk partition style.

Step 6: Install or Restore Secure Boot Keys

Secure Boot requires trusted keys stored in firmware. If these keys are missing, cleared, or not provisioned, Secure Boot may show as enabled but inactive. Many BIOS interfaces display this state as Setup Mode. Secure Boot becomes fully active only when the system is in User Mode with valid keys installed.

In BIOS, look for options such as:

• Install Default Secure Boot Keys
• Restore Factory Keys
• Load Secure Boot Defaults
• Enroll All Factory Default Keys
• Key Management

Select the option to install or restore the default keys. These are usually the correct keys for standard Windows installations. After enrolling the keys, save changes and reboot. Return to BIOS afterward if necessary and confirm that Secure Boot is enabled and the mode has changed from Setup Mode to User Mode.

Warning: Do not delete Secure Boot keys unless you are intentionally managing custom keys and fully understand the consequences. Clearing keys can make Secure Boot inactive and may prevent some systems from booting as expected.

Step 7: Set OS Type Correctly

Some motherboards, especially ASUS and similar UEFI systems, include an OS Type option. This may be set to Other OS by default, which can prevent Microsoft Secure Boot keys from being used.

If you see this setting, choose:

• Windows UEFI Mode, or
• Windows, depending on the BIOS wording.

After changing the OS type, install the default Secure Boot keys if prompted. Then save and restart. This small setting is a frequent reason Secure Boot appears configured but does not become active.

Step 8: Save Changes and Verify

After making changes, choose Save and Exit in BIOS. The system will restart. If Windows boots normally, check Secure Boot status again using msinfo32.

You want to see:

• BIOS Mode: UEFI
• Secure Boot State: On

If the status now shows On, Secure Boot is active and working. If it still shows inactive, return to BIOS and confirm these items again: CSM disabled, UEFI boot enabled, Secure Boot keys installed, OS type set to Windows UEFI mode, and the correct boot drive selected.

Manufacturer Notes

BIOS menus vary, but the underlying requirements are similar. Here are common locations for Secure Boot settings:

• Dell: Look under Boot Configuration or Secure Boot. Confirm UEFI boot sequence is selected.
• HP: Check Security and Boot Options. Legacy Support may need to be disabled.
• Lenovo: Secure Boot is often under Security. UEFI/Legacy Boot is usually under Startup.
• ASUS: Disable Launch CSM, set OS Type to Windows UEFI Mode, then install default keys.
• MSI: Set boot mode to UEFI, then check Settings, Advanced, and Windows OS Configuration.
• Gigabyte: Disable CSM, enable Secure Boot, and restore factory keys if the status remains inactive.

Common Problems and Fixes

Windows will not boot after enabling Secure Boot: The system may have been installed in Legacy mode, or the boot disk may still be MBR. Re-enable CSM temporarily, boot into Windows, and verify the partition style.

Secure Boot option is greyed out: Disable CSM first, set an administrator BIOS password if required by your firmware, or install default keys. Some systems lock Secure Boot controls until these prerequisites are met.

Secure Boot says Setup Mode: This almost always means Secure Boot keys are not installed. Use the firmware option to restore or enroll factory default keys.

BitLocker asks for a recovery key: Firmware changes can trigger BitLocker protection. Before modifying Secure Boot, suspend BitLocker in Windows and confirm that your recovery key is available.

Linux or dual boot stops working: Some Linux distributions support Secure Boot, while others require additional signed bootloaders or custom key enrollment. Check your distribution’s Secure Boot documentation before enabling it.

When Not to Change Secure Boot Settings

You should avoid changing Secure Boot settings casually on production systems, encrypted laptops, business machines, or computers with complex dual-boot setups. If the device is managed by an organization, Secure Boot policy may be controlled by IT administrators. Changing firmware security settings without authorization can violate policy or disrupt access.

If the computer contains critical files, create a full backup before proceeding. For business systems, make sure recovery media, BitLocker keys, and administrator credentials are available. Secure Boot is valuable, but firmware-level changes should be approached carefully and deliberately.

Final Checklist

If Secure Boot is enabled but not active, use this checklist:

• Confirm Windows reports BIOS Mode: UEFI.
• Confirm the system disk uses GPT.
• Disable Legacy Boot or CSM.
• Set boot mode to UEFI Only.
• Set OS type to Windows UEFI Mode if available.
• Install or restore default Secure Boot keys.
• Save changes and restart.
• Verify Secure Boot State shows On in Windows.

In most cases, the fix is straightforward once the requirements are aligned. Secure Boot must be enabled in the firmware, the system must boot in UEFI mode, the disk must be GPT, and the correct keys must be installed. When all of these pieces are in place, Secure Boot changes from merely enabled to genuinely active, providing the boot-time protection it was designed to deliver.