Secure Boot cannot be enabled while the system is in User Mode alone; it requires the system to be in Setup Mode first, where the Secure Boot keys (including the Platform Key) are missing. When in Setup Mode, Secure Boot is disabled because the system does not have the necessary keys installed. To enable Secure Boot, the system needs to enroll the Platform Key, which switches the system from Setup Mode to User Mode. Once in User Mode with the keys installed, Secure Boot can be enabled. In summary:
- Setup Mode: Keys are missing, Secure Boot cannot be enabled.
- User Mode: Keys are installed, Secure Boot can be enabled.
- To enable Secure Boot, first enroll the Platform Key in BIOS, switching the system from Setup Mode to User Mode, then enable Secure Boot.
This process is done through BIOS/UEFI settings, typically by:
- Disabling Compatibility Support Module (CSM) for pure UEFI mode.
- Enrolling the Platform Key or loading default secure boot keys.
- Enabling Secure Boot after the system switches to User Mode.
Only after these steps is Secure Boot enabled and active.
