Share via

Secure boot enabled but not active?

Sahil Soni 60 Reputation points
2026-03-23T03:01:46.25+00:00

Secure Boot is enabled, but it shows as not active. I’m using UEFI, my drive is GPT, and CSM is off. Secure Boot was already on by default, and I’ve checked everything I can think of but can’t figure out why it’s not working.

I need to get it working so I can play the BF6 beta. Any ideas?

Windows for business | Windows Server | Devices and deployment | Configure application groups
0 comments
Answer accepted by question author
  1. Harry Phan 17,360 Reputation points Independent Advisor
    2026-03-23T05:07:39.3933333+00:00

    Hi Sahil,

    When Secure Boot shows as enabled in firmware but “not active” in Windows, it usually means the system is booting with a non‑signed or legacy bootloader. The most common cause is that the platform key (PK) and signature databases (KEK/DB) in UEFI are either missing or not properly provisioned, so Windows reports Secure Boot as off even though the toggle is on. Go into your UEFI setup and look under Secure Boot configuration; if you see “Custom” mode, switch it back to “Standard” and re‑install factory keys. On many boards this is done via an option like “Install Default Secure Boot Keys” or “Restore Factory Keys.”

    Also confirm that your GPU driver and bootloader aren’t unsigned, since certain modified boot managers or legacy Option ROMs can silently disable Secure Boot. If you’ve cloned or migrated the OS, check that the EFI System Partition contains the Microsoft Boot Manager (\EFI\Microsoft\Boot\bootmgfw.efi) and that it’s signed. Once the keys are reset and the system boots through the signed Microsoft loader, Windows will report Secure Boot as active. That should satisfy the BF6 beta requirement.

    Harry.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-03-23T03:02:04.1933333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The most common reason Secure Boot shows as “enabled” in firmware but “not active” in Windows is missing or incorrect Secure Boot keys/certificates in UEFI.

    Based on similar cases, use this sequence:

    1. Verify UEFI + Secure Boot prerequisites
      • Boot mode must be UEFI (not Legacy/CSM) and the system disk must be GPT. These are already confirmed.
      • CSM must be disabled. Already done.
    2. Check Secure Boot keys in firmware
      • Enter firmware/UEFI setup (typically by pressing F1/F2/F12/Esc during boot, or from Windows: Shift + Restart → Troubleshoot → Advanced options → UEFI Firmware Settings).
      • Locate the Secure Boot section (often under Security, Boot, or Authentication).
      • Look for an option related to Secure Boot keys, key management, or “Keyset”/“Key database” (PK/KEK/db/dbx) or a preset like “Windows UEFI mode”, “Standard”, or “Factory defaults”.
      • If there is an option to “Install default keys”, “Load factory keys”, or select a preset such as “Microsoft only” or “Windows UEFI mode”, apply it. This installs the Microsoft Secure Boot certificates required for Windows.
      • Save and reboot.
      In a similar case, Secure Boot appeared configured but was not active until the user installed the Secure Boot keys from BIOS; after loading the default/Microsoft keyset, Windows reported Secure Boot as active and anti-cheat started working.
    3. Confirm Secure Boot state in Windows
      • After reboot, in Windows run msinfo32 and check:
        • “BIOS Mode” = UEFI
        • “Secure Boot State” = On
      • If it still shows Off or not active, re-enter UEFI and:
        • Ensure Secure Boot is set to Enabled (not just “Setup” or “Audit” mode).
        • If there is a “Custom” vs “Standard”/“Windows” mode, choose the standard/Windows mode and reload default keys again.
    4. If Secure Boot still won’t become active
      • Some systems require resetting firmware to factory defaults, then re-enabling UEFI boot, disabling CSM, and enabling Secure Boot again so that the correct keyset is applied.
      • If the firmware offers a Secure Boot “Custom” mode and keys look empty, use the option to restore factory keys rather than manually editing.

    Once Windows reports “Secure Boot State: On” in System Information, games that require Secure Boot (such as BF6 beta) should recognize it.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.