Secure Boot shows off when your PC is using the wrong boot mode, missing firmware certificates, or a startup path Windows can’t verify.
Seeing “Secure Boot State: Off” in System Information can feel confusing. In most cases, the reading does not point to a failed Windows install. It points to a mismatch between firmware settings, boot mode, disk layout, and the trust data Secure Boot needs before Windows loads.
That mismatch matters because Secure Boot is part of the startup chain. It checks whether the boot loader and other early startup pieces are signed and trusted. If the chain is not set up the right way, Windows can still boot on many PCs, but Secure Boot stays off and some features or games may refuse to run.
Why Is Secure Boot State Off? Common Causes
The off state usually comes from one of five places:
- UEFI is not the active boot mode.
- CSM or Legacy Boot is still turned on in firmware.
- Secure Boot certificates were cleared, reset, or never loaded.
- The Windows drive is still using MBR instead of GPT.
- The firmware is set to an OS mode that leaves Secure Boot idle.
You can confirm the first clue in Windows. Press Win + R, type msinfo32, and check two lines: BIOS Mode and Secure Boot State. If BIOS Mode says Legacy, Secure Boot cannot turn on. If BIOS Mode says UEFI and Secure Boot still says Off, the issue is usually inside firmware settings or Secure Boot certificate storage.
Secure Boot Off In Windows: What The Reading Usually Means
Think of the status as a chain of gates. UEFI mode is one gate. Secure Boot certificates are another. A GPT system disk is another. If one gate is closed, the full chain does not complete, so Windows reports the feature as off.
Microsoft explains that Secure Boot is tied to UEFI firmware and is used to allow only trusted boot software during startup. The company’s page on Windows 11 and Secure Boot gives a clear baseline for what Windows expects on an eligible PC.
Legacy Boot Or CSM Is Still Active
This is the most common reason. Many boards ship with a Compatibility Support Module, often called CSM, that lets older MBR-based installs boot in a BIOS-like mode. The moment CSM is active, Secure Boot is usually disabled or hidden.
The wording changes a bit by brand. Still, the pattern is the same: turn off CSM or Legacy Boot, save, reboot into firmware again, then check whether the Secure Boot menu wakes up.
The System Disk Is Still MBR
Secure Boot and UEFI work best with a GPT system disk. If Windows was installed years ago in Legacy mode, the drive may still use MBR. In that setup, firmware toggles alone will not fix the startup path, because the disk layout is holding the system in the old mode.
Microsoft’s MBR2GPT tool can convert a system disk from MBR to GPT without deleting data when the disk meets the tool’s rules. That is often the cleanest path when you want to keep the current Windows install and move to UEFI.
| What You See | What It Usually Means | What To Check Next |
|---|---|---|
| BIOS Mode: Legacy | Windows is not booting through UEFI | Switch firmware to UEFI and review disk partition style |
| BIOS Mode: UEFI, Secure Boot: Off | UEFI is active, but Secure Boot is not fully enabled | Open firmware and check Secure Boot, OS type, and certificate status |
| Secure Boot menu is grayed out | CSM, Legacy Boot, or wrong OS mode is still active | Disable CSM and set OS type to Windows UEFI mode if present |
| Secure Boot was on, then went off after a reset | Default certificates may have been cleared | Load factory Secure Boot data in firmware |
| PC boots fine, anti-cheat still complains | Windows can start, but the Secure Boot trust chain is incomplete | Recheck msinfo32 after each firmware change |
| Drive shows MBR in Disk Management | Old partition style is blocking a full UEFI setup | Back up data and prepare for MBR to GPT conversion |
| Secure Boot option exists, but toggling does nothing | Firmware certificates may be missing or custom mode is active | Restore default certificates and switch to Standard mode |
| System Information says Unsupported | Firmware, boot mode, or board design does not expose Secure Boot properly | Check model notes and firmware updates from the device maker |
Secure Boot Certificates Are Missing Or Reset
Secure Boot does not run on a blank certificate store. The firmware needs its platform certificate and allowed-signature databases in place. On many boards, you will see options to restore factory data or switch from Custom to Standard mode. If that data is missing, Secure Boot may look enabled in one menu and still read off in Windows.
This is one reason the menu can be misleading. A board can show a Secure Boot switch, yet the trusted signing data behind that switch is empty. The UEFI specification describes Secure Boot and driver-signing checks at the firmware level in Secure Boot and Driver Signing.
The Firmware Is Set To The Wrong OS Mode
Some firmware menus offer a choice like Windows UEFI Mode or Other OS. If the board is set to the second option, Secure Boot may stay dormant with UEFI mode already active. This setting is common on gaming boards and on systems that were used for Linux dual boot, old GPU firmware, or older expansion cards.
If you changed graphics hardware, added an older PCIe card, or flashed firmware recently, this setting deserves a second look. One old add-in device can push you back toward a compatibility mode that leaves Secure Boot off.
How To Fix The Off State Without Guesswork
The cleanest way to work through this is to move in order, not by trial and error. Use this sequence:
- Open msinfo32 and note BIOS Mode and Secure Boot State.
- Open Disk Management, right-click the system disk, choose Properties, then check whether the partition style is MBR or GPT.
- Reboot into firmware and disable CSM or Legacy Boot.
- Set the boot mode to UEFI.
- Set OS type to a Windows UEFI option if your board has one.
- Restore default Secure Boot certificates or switch from Custom to Standard mode.
- Save changes, reboot, and check msinfo32 again.
If the system disk is MBR, stop there and make a backup before changing boot mode for good. A straight switch from Legacy to UEFI on an MBR install can leave the PC unbootable until the disk is converted or Windows is reinstalled in UEFI mode.
If BitLocker is active, suspend it before making firmware changes. That avoids a recovery prompt after the boot path changes. Then resume it after you confirm the system is starting normally again.
| Check | Where To Look | Good Result |
|---|---|---|
| BIOS mode | msinfo32 | UEFI |
| Partition style | Disk Management > Disk Properties > Volumes | GPT |
| Compatibility mode | Firmware Boot tab | CSM or Legacy disabled |
| Secure Boot mode | Firmware Security or Boot tab | Enabled or Standard |
| Certificate load | Firmware Secure Boot submenu | Default or factory data installed |
| Windows status | msinfo32 after reboot | Secure Boot State: On |
When The Reading Stays Off Even After You Enable It
If BIOS Mode is already UEFI, CSM is off, GPT is in place, and the certificates are loaded, yet Windows still shows the feature as off, the remaining suspects are firmware bugs, stale firmware, or a board-specific quirk in how Secure Boot is exposed. At that stage, a BIOS update from your PC or motherboard maker is often worth trying.
The setting can be changed in one screen and undone by another. Some boards reset Secure Boot when you load tuned profiles, switch storage modes, clear CMOS, or swap hardware. If the state keeps flipping, check every startup-related menu, not just the Secure Boot page.
Once everything lines up, the reading in System Information should move from off to on. If it does not, compare the board manual, current firmware version, and your exact boot path step by step.
References & Sources
- Microsoft.“Windows 11 and Secure Boot.”Explains how Windows uses UEFI and Secure Boot on eligible PCs.
- Microsoft.“MBR2GPT.”Shows how the built-in tool converts a system disk from MBR to GPT without deleting data.
- UEFI Forum.“Secure Boot and Driver Signing.”Defines the firmware checks and signature rules behind Secure Boot.