Secure Boot is a key security feature in Windows 11 that ensures your system only loads trusted software during startup. It protects against rootkits and firmware-based malware, helping maintain system integrity from the very first boot.
However, many users encounter a frustrating issue: Secure Boot appears enabled in BIOS but still shows as “Off” or “Inactive” in Windows. This mismatch can block system updates, prevent anti-cheat systems from working in games, and disable device encryption.
Common causes include incorrect BIOS mode (Legacy vs UEFI), disabled Secure Boot keys, or outdated firmware. The good news is — these issues can be fixed easily with the right steps.
Method 1: Switch BIOS Secure Boot Mode and Restore Factory Keys
This method resets Secure Boot configuration and reinstalls the factory keys needed for Windows to recognize it correctly.
Step 1: Restart your computer and enter BIOS/UEFI settings.
Press DEL, F2, F10, or F12 during startup (the key varies by manufacturer).
Step 2: Go to the Secure Boot section (usually under Boot, Security, or Authentication).
Check if Secure Boot Mode is set to Setup or User.
⚠️ If it’s in Setup Mode, Secure Boot is not actually active.
Step 3: Disable Secure Boot temporarily and save your changes. Exit BIOS and reboot if prompted.
Step 4: Re-enter BIOS and change Secure Boot Mode from Standard → Custom. Confirm any warning messages.
Step 5: Now switch it back from Custom → Standard.
Accept the prompt to restore or install Factory Defaults / Factory Keys — this reinstalls the Secure Boot platform keys.
Step 6: Re-enable Secure Boot and save changes before exiting BIOS.
Step 7: Once Windows boots, press Win + R, type msinfo32, and press Enter.
Under System Summary, check Secure Boot State — it should now show “On.”
Method 2: Disable CSM and Ensure UEFI Boot Mode
Secure Boot requires UEFI mode — it won’t work if your system is still running in Legacy BIOS mode or CSM (Compatibility Support Module) is active.
Step 1: Enter your BIOS settings again.
Step 2: Find the CSM (Compatibility Support Module) setting under the Boot or Advanced tab.
Step 3: Set CSM to Disabled.
This forces your system to use pure UEFI boot, which is mandatory for Secure Boot.
⚠️ Important: If your system drive uses MBR (Master Boot Record) format instead of GPT (GUID Partition Table), Windows may not boot after disabling CSM.
Step 4: Save and exit BIOS, then reboot.
If Windows loads correctly, Secure Boot can now be activated using Method 1 if necessary.
Step 5: If your system fails to boot, you’ll need to convert your boot drive to GPT using the mbr2gpt tool:
- Boot from Windows installation or recovery media.
- Open Command Prompt and run:
mbr2gpt /convert /allowfullos - Reboot and retry enabling Secure Boot.
Always back up important data before performing disk conversions.
Method 3: Update BIOS and Restore Defaults
If the above methods fail, your firmware may be outdated or corrupted.
Step 1: Go to your motherboard or PC manufacturer’s support page and download the latest BIOS/UEFI firmware update.
Follow the official instructions carefully to update it.
Step 2: After updating, re-enter BIOS and select Restore Factory Defaults (or Reset to Default Settings).
Step 3: Reconfigure Secure Boot following Method 1 — make sure to install factory keys when prompted.
Step 4: Save and reboot.
Use msinfo32 again to confirm that Secure Boot State = On.
Additional Tips and Troubleshooting
- Full shutdown required: Some systems need a full shutdown (not just a restart) to apply Secure Boot changes.
- Unsupported hardware: If
msinfo32shows “Secure Boot State: Unsupported,” your system may lack Secure Boot support or UEFI is disabled. - Interference from software: Certain antivirus or optimization tools can block Secure Boot — temporarily disable them when troubleshooting.
- Missing Secure Boot options: If your BIOS lacks Secure Boot settings, update your firmware or check your manufacturer’s documentation.
- Data safety: Always back up your files before modifying BIOS settings or converting drives.
Why This Fix Matters
Once Secure Boot is active, Windows 11 can fully leverage its security framework — ensuring only trusted, signed software loads during boot. It also restores compatibility with essential system updates, game anti-cheat systems, and device encryption tools.
By restoring your factory keys, switching to UEFI, or updating your BIOS, you reinforce your system’s resistance to firmware-level attacks — a core pillar of Microsoft’s modern Windows security model.
Conclusion
If Secure Boot shows as disabled in Windows 11 despite being enabled in BIOS, don’t panic — it’s usually a configuration mismatch rather than hardware failure. By following these tested methods, you can reactivate Secure Boot properly, restore your system’s protection, and unlock full compatibility with Windows 11’s latest features.
Keeping Secure Boot active ensures your PC boots safely, resists tampering, and meets all Windows 11 security requirements for updates and apps.
And if you'd like to go a step further in supporting us, you can treat us to a virtual coffee ☕️. Thank you for your support ❤️!
We do not support or promote any form of piracy, copyright infringement, or illegal use of software, video content, or digital resources.
Any mention of third-party sites, tools, or platforms is purely for informational purposes. It is the responsibility of each reader to comply with the laws in their country, as well as the terms of use of the services mentioned.
We strongly encourage the use of legal, open-source, or official solutions in a responsible manner.
Comments