The most common reasons why Secure Boot is not active even if it appears enabled include:
- Secure Boot is actually disabled in the UEFI firmware settings, despite showing enabled in Windows.
- The Compatibility Support Module (CSM) is enabled in BIOS/UEFI, which conflicts with Secure Boot activation.
- The Secure Boot platform keys are missing or corrupted, so Secure Boot is enabled but not fully active.
- The BIOS/UEFI firmware is outdated and lacks proper Secure Boot support or has bugs.
- The system is booting in Legacy mode instead of UEFI mode, which disables Secure Boot.
To fix this issue, typical steps are:
- Enter BIOS/UEFI settings during boot (using DEL, F2, F10, or F12 keys).
- Disable CSM if enabled to ensure pure UEFI boot mode.
- Change Secure Boot mode from "Setup" to "Custom," then back to "Standard" and restore the factory keys/platform keys.
- Enable Secure Boot and save changes.
- Update BIOS/UEFI firmware if the problem persists.
- Verify Secure Boot status in Windows using
msinfo32and check "Secure Boot State" until it shows "On" or "Active."
These steps ensure that Secure Boot is not just enabled but also properly activated, allowing secure startup and OS protection.
