Secure Boot can only be enabled when the system is in User Mode, which occurs after enrolling the Platform Key (PK). If the system is in Setup Mode, Secure Boot cannot be enabled. To enable Secure Boot, you need to enter the BIOS, disable Compatibility Support Module (CSM) if enabled, change the Secure Boot mode to Custom, then enroll the default or factory Platform Keys. After enrolling the Platform Key, the system switches from Setup Mode to User Mode, making Secure Boot available to be enabled. Finally, set Secure Boot to Enabled and save the changes to activate it. In summary, the operation should be repeated after enrolling the Platform Key in BIOS because enrolling the PK switches the system from Setup Mode to User Mode, which is required for enabling Secure Boot:
- Enter BIOS setup during boot (commonly Del, F2, or Esc keys).
- Disable CSM under the Boot tab.
- Change Secure Boot Mode to Custom.
- Enroll all factory default keys or enroll the Platform Key.
- Confirm and save or reboot as necessary.
- Then enable Secure Boot.
- Save and exit BIOS.
This process transitions the system into User Mode, allowing Secure Boot to be enabled properly.
