Secure Boot shows as enabled but not active is usually caused by some incorrect settings. This guide explains why it occurs and shows several simple ways to fix the problem and activate Secure Boot successfully.
🌟 Quick Look: Fixing Secure Boot Enabled But Not Active
The Problem Windows may report Secure Boot as inactive even if it is turned on in the BIOS. This usually happens due to incorrect boot modes, outdated partition styles, or missing security keys.
🔶 Core Solutions
Verify Compatibility: Use the "msinfo32" command to check if your BIOS Mode is set to UEFI and see the current status of Secure Boot.
Toggle BIOS Settings: Access UEFI Firmware Settings through Windows Recovery to manually cycle the Secure Boot setting and ensure it is fully applied.
Convert Disk to GPT: Secure Boot only functions on GPT disks. If your drive is MBR, use a tool like AOMEI Partition Assistant to convert it without losing your files.
Reset Security Keys: If the system is in "Setup Mode," restoring Factory Default Keys in the BIOS menu will often trigger activation.
🔶 Common Cause
Legacy/CSM Mode: Secure Boot is incompatible with Legacy boot and requires pure UEFI mode.
MBR Partitions: Older partition styles prevent the feature from activating.
Missing Platform Keys: Without a valid Platform Key (PK), the system cannot verify the boot process.
🔶 Essential Requirements
For Windows 11 users, both Secure Boot and TPM 2.0 must be functional to meet official system security standards and protect against boot-level malware.
Before making any changes, you should first confirm whether your computer supports UEFI Secure Boot. You can quickly check this in System Information. Press Win + R, type msinfo32, and press Enter. Then look for “BIOS Mode” and “Secure Boot State” to see whether Secure Boot is supported and currently active.
Step 1. Press “Win+R” simultaneously, type msinfo32 and hit “ENTER”.
Step 2. In the “System Information” window, select “System Summary” and look for “Secure Boot State” on the right side. If the value is “on”, the secure boot is enabled; if “off”, the secure boot isn’t enabled and you need to enable it for Windows 11.
Sometimes Secure Boot may appear enabled in BIOS, but Windows still shows it as inactive. This usually happens because the setting was not fully applied or the system is not running in the correct boot mode. Before trying other fixes, it is important to confirm whether Secure Boot is actually turned on in your UEFI firmware settings. You can restart your computer and manually check the Secure Boot status in BIOS. Follow the steps below to verify and enable the feature properly.
Step 1. Open Settings on your computer and select the System option.
Step 2. Scroll down and click Recovery.
Step 3. Under Advanced startup, click Restart now.
Step 4. After the PC restarts, select Troubleshoot.
Step 5. Click Advanced options and then choose UEFI Firmware Settings. After that, click Restart.
Step 6. Your computer will boot into the UEFI BIOS menu.
Step 7. Find and open BIOS Setup or Boot settings.
Step 8. Locate the Secure Boot option. Make sure the Secure Boot setting is reactived and enabled, and save the changes before exiting BIOS.
Secure Boot only works correctly when the system disk uses the GPT partition style instead of MBR. If your PC is still using an MBR disk, Secure Boot may show as enabled but not active in BIOS or Windows. Before making any changes, you can first check your disk style. Press Win + X and open Disk Management. Right click the system disk, choose “Properties”, then go to the “Volumes” tab. There you can see whether the partition style is MBR or GPT.
If the disk is MBR, you need to convert it to GPT so Secure Boot can function properly in UEFI mode. A simple and reliable way to do this is by using AOMEI Partition Software. This partition software helps convert MBR to GPT without reinstalling Windows or losing personal files by deleting partitions, making the process much easier and safer for most users.
Step 1. Launch AOMEI Partition Software. Find the target HDD, right-click on it, and select “Convert to GPT”.
Step 2. Confirm the conversion by clicking OK and then Yes.
Step 3. Return to the main interface and click Apply → Proceed to execute the conversion.
The process is straightforward, ensuring your data remains intact while transforming the disk to GPT format. This powerful software can also help to fix the selected boot device failed error on your computer.
If your PC enters Setup Mode, it usually means the Platform Key (PK) stored in the BIOS/UEFI firmware has been deleted, corrupted, or reset. The Platform Key is an important part of Secure Boot because it verifies whether the system can trust the boot process. Without this key, Secure Boot may appear enabled but remain inactive.
To fix this issue, you can restore or reinstall the default Secure Boot keys in BIOS. Restart your computer and enter the BIOS/UEFI settings. Then locate the Secure Boot section and look for options such as “Install Default Secure Boot Keys,” “Restore Factory Keys,” or “Reset to Setup Mode.” After loading the default keys, save the changes and reboot the PC. Once the Platform Key is recreated, the operating system can properly communicate with Secure Boot, and the Secure Boot status should become active again.
Step 1. In BIOS setup, if Mode is set to User, enable Secure Boot. If Settings is displayed, disable Secure Boot if it is currently enabled.
Step 2. If "Safe Boot Mode" is set to "Standard", switch to "Custom". Then change "Custom" to "Standard" and accept "Factory Default".
Secure Boot may appear as enabled in BIOS, but still show as inactive in Windows due to several configuration or compatibility issues. This usually happens when the system is not fully using UEFI mode, the boot drive uses the MBR partition style instead of GPT, or the required Secure Boot keys are missing. In some cases, users enable Secure Boot in BIOS but forget to disable Legacy or CSM mode, which prevents Secure Boot from becoming active. Outdated firmware, unsupported graphics cards, or incorrect operating system installation methods can also lead to this issue.
| Possible Cause | Explanation |
|---|---|
| Legacy/CSM mode enabled | Secure Boot only works in pure UEFI mode |
| MBR partition style | Secure Boot requires the system disk to use GPT |
| Missing Platform Key (PK) | BIOS cannot fully activate Secure Boot without security keys |
| Unsupported hardware | Older GPUs or devices may not support Secure Boot properly |
| Outdated BIOS firmware | Older firmware versions may contain Secure Boot bugs |
| Incorrect Windows installation | Windows installed in Legacy mode cannot fully use Secure Boot |
| Secure Boot set to Custom mode | Improper key settings may stop activation |
To fix Secure Boot enabled but not active, users usually need to switch the system to UEFI mode, convert the disk from MBR to GPT, restore Secure Boot keys, and update BIOS firmware if necessary. Many users also use disk management tools such as AOMEI Partition Software to safely convert disks without reinstalling Windows. After making the correct changes, Secure Boot should display as active in System Information.
Secure Boot enabled but not active is a common problem in Windows 11 and Windows 10, but it can usually be fixed with the right BIOS and disk settings. By checking UEFI support, reactivating Secure Boot, converting the system disk from MBR to GPT, and restoring the default Secure Boot keys, you can successfully make Secure Boot active again. If you want an easier way to manage disk conversion without losing data, tools like AOMEI Partition Software can help simplify the process. After applying the correct solution, Secure Boot should work properly and improve your system security. This powerful software can also help to move the program files folder to another drive, repair external hard drives, or easily fix any boot issues.
🗨️ Why is Secure Boot suddenly disabled?
Secure Boot can suddenly become disabled after a BIOS update, CMOS reset, hardware change, or incorrect BIOS configuration. In some cases, switching from UEFI mode to Legacy or CSM mode will automatically disable Secure Boot. Corrupted or missing Secure Boot keys may also cause the feature to appear disabled.
🗨️ Why is Secure Boot causing my PC to not boot?
Secure Boot may prevent the PC from booting if the operating system, graphics card, or boot files are not properly signed or compatible with UEFI Secure Boot. This often happens with older hardware, unsupported drivers, dual boot systems, or Windows installed in Legacy mode instead of UEFI mode.
🗨️ Is TPM 2.0 the same as Secure Boot?
No, TPM 2.0 and Secure Boot are different technologies. TPM 2.0 is a hardware security chip that stores encryption keys and protects sensitive data, while Secure Boot is a UEFI feature that checks whether the system boots using trusted software and drivers.
🗨️ Does Windows 11 need TPM 2.0 and Secure Boot?
Yes, Windows 11 officially requires both TPM 2.0 and Secure Boot for installation on supported devices. These security features help protect the system from malware, unauthorized access, and boot level attacks.
🗨️ Is Secure Boot separate from TPMs?
Yes, Secure Boot and TPMs are separate security components, but they often work together. Secure Boot protects the startup process, while TPM handles encryption and secure key storage. A computer can support one without the other, although modern Windows 11 systems usually use both.