The situation usually means Secure Boot is configured in BIOS/UEFI but isn’t actually active in the running OS due to a mismatch in firmware settings or keys. A few common causes and steps to resolve:
- Check BIOS/UEFI mode: Secure Boot requires UEFI mode (not Legacy/CSM). If the system is in CSM/Legacy mode, Secure Boot may show as enabled but not active. Enter BIOS and ensure the boot mode is set to UEFI only (or enable UEFI with CSM off), then re-save and reboot. This is a frequent source of the discrepancy.
- Disable CSM and enable Secure Boot properly: If CSM is enabled, Secure Boot might not function. Disable CSM, switch to UEFI boot, and then re-enable Secure Boot. Save changes and reboot to see if Secure Boot state changes to On.
- Restore factory keys (platform keys): Secure Boot requires proper keys. If keys are missing or corrupted, Secure Boot can appear enabled but not active. In BIOS/UEFI, look for an option to Restore Factory Keys or Install Default Keys, then save and reboot. After this, Secure Boot should report as On.
- Reconfirm Secure Boot mode: Some BIOS interfaces show Secure Boot in Setup vs. User/Standard modes. If it’s in Setup mode, Secure Boot isn’t fully active. Disable Secure Boot, then re-enable it and ensure the mode is set to Standard/Full Activation rather than Setup.
- Update firmware: An outdated BIOS/UEFI can cause Secure Boot to misreport. Check the motherboard or OEM support site for a newer firmware release, apply it following their instructions, then recheck Secure Boot.
- Windows-facing check: In Windows, open System Information (msinfo32) and look at the Secure Boot State. If it remains Off or Not Supported, the mismatch above is likely the cause and should be resolved by the BIOS adjustments described.
- Other causes: Some systems enable features like TPM in a way that affects Secure Boot status. Ensure TPM 2.0 is enabled if your OS or security features require it, and that there are no policy or virtualization-based security settings conflicting with Secure Boot.
If you’d like, provide:
- Your PC/ motherboard model and OEM (Dell/HP/ASUS/MSI/etc.)
- Whether you see CSM/Legacy options in BIOS
- The current Secure Boot Mode (Standard vs. Custom vs. Setup)
- Whether you can access and restore factory keys in BIOS
I can tailor step-by-step instructions for your exact hardware and firmware interface.
