Begin with a short, direct answer: if your PC reports that Secure Boot doesn’t work in Windows 10, the most common causes are incorrect firmware settings (Secure Boot disabled or the system running in Legacy/CSM mode), missing or corrupted Secure Boot keys, an unsigned bootloader or drivers, or firmware bugs. This article explains the likely reasons and gives clear, step‑by‑step fixes so you can restore Secure Boot without losing data.
You’ll learn how to check Secure Boot status, enable it in UEFI, convert an MBR Windows install to GPT, restore Secure Boot keys, update firmware, repair bootloaders, handle BitLocker/TPM interactions, and when to get vendor help.
Key Takeaway
The fastest fix is to verify Secure Boot status in Windows (use msinfo32 or Confirm-SecureBootUEFI), then enable Secure Boot and UEFI mode in your firmware; if Windows was installed in Legacy/MBR mode you must convert to GPT (using mbr2gpt) or reinstall Windows in UEFI mode. Always suspend BitLocker and back up data before changing firmware/partition schemes.
Quick Fix Guide
| Reason for the Problem | Quick Solution |
|---|---|
| Secure Boot is disabled in UEFI | Enter UEFI/BIOS and set Secure Boot = Enabled. |
| System booting in Legacy/CSM mode (MBR install) | Convert to GPT using mbr2gpt or reinstall Windows in UEFI mode. |
| Compatibility Support Module (CSM) enabled | Disable CSM/Legacy boot in UEFI so Secure Boot can work. |
| Secure Boot keys missing or corrupted | In UEFI restore factory Secure Boot keys or choose Install Default/Factory Keys. |
| Bootloader or OS not signed | Use a signed bootloader (Windows or shim for Linux) or reinstall signed components. |
| Outdated or buggy UEFI firmware | Update firmware/BIOS from the PC/OEM website following vendor instructions. |
| Unsigned or incompatible drivers | Update drivers from vendor; temporarily disable driver signature enforcement for troubleshooting. |
| Third‑party boot managers (GRUB, rEFInd) | Restore Windows bootloader with bcdboot / bootrec or configure shim with proper keys. |
| BitLocker/TPM or Fast Startup interfering | Suspend BitLocker and disable Fast Startup before firmware changes. |
Detailed Fixes for “Secure Boot doesn’t work in Windows 10”
1. Secure Boot is disabled in UEFI
Why it causes problems
- Secure Boot must be enabled in UEFI to protect the boot chain; if it’s off, Windows won’t enforce signed boot components and some features (like Device Guard) may be inactive.
Step-by-step solution
- Open Settings > Update & Security > Recovery. Under Advanced startup click Restart now.
- Choose Troubleshoot > Advanced options > UEFI Firmware Settings > Restart to enter the firmware, OR press the required OEM key (F2, Del, Esc) during boot.
- In UEFI settings find Secure Boot (often under Boot, Security, or Authentication).
- Set Secure Boot = Enabled and save changes (usually F10 or Save & Exit).
- Boot to Windows and confirm with Start > Run: msinfo32 and check Secure Boot State = On, or open an elevated PowerShell and run Confirm-SecureBootUEFI (returns True when enabled).
Notes
- Some OEMs label the option differently (e.g., OS Type = Windows UEFI mode); choose the setting that mentions Windows/UEFI.
2. System is booting in Legacy/CSM mode or was installed in MBR
Why it causes problems
- Secure Boot requires UEFI booting with GPT partition style. If Windows was installed in Legacy BIOS/MBR mode, Secure Boot can’t protect the boot chain.
Step-by-step solution (convert to GPT using mbr2gpt)
- Back up all important files (convert operations carry risk).
- Open an elevated Command Prompt.
- Validate conversion: run mbr2gpt /validate /allowfullos
- If validation succeeds, run mbr2gpt /convert /allowfullos
- After conversion, reboot to UEFI firmware and disable CSM / enable UEFI boot.
- Save and boot into Windows; confirm GPT: in Disk Management (disk properties) check Partition style: GUID Partition Table (GPT).
Alternative
- Reinstall Windows in UEFI mode: boot the installer in UEFI mode and clean install (ensure disks are GPT).
Notes
- mbr2gpt is included in Windows 10 v1703+ and runs offline or in Windows PE. Always have a recovery drive handy.
3. Compatibility Support Module (CSM) is enabled
Why it causes problems
- CSM allows legacy BIOS features that can conflict with Secure Boot (some firmware automatically disables Secure Boot when CSM is active).
Step-by-step solution
- Enter UEFI/BIOS (see previous steps).
- Locate Compatibility Support Module (CSM) or Legacy Boot settings (often under Boot).
- Set CSM = Disabled or change Boot Mode = UEFI only.
- Ensure OS is installed in UEFI/GPT (see previous section).
- Save and reboot.
Notes
- Disabling CSM can prevent older OS or devices from booting; verify hardware compatibility first.
4. Secure Boot keys missing, custom, or corrupted
Why it causes problems
- Secure Boot depends on keys (PK, KEK, db). If keys were cleared or replaced incorrectly, Secure Boot cannot validate signatures.
Step-by-step solution
- Enter UEFI settings and find Secure Boot Keys or Key Management.
- Look for options like Restore Factory Keys, Install Default Keys, or Clear Keys.
- Choose Restore/Install Factory Keys to return OEM default keys.
- Save and reboot.
- Confirm in Windows msinfo32 that Secure Boot is ON.
Notes and caution
- If you or someone previously enrolled custom keys intentionally, restoring factory keys will remove custom enrollments—make sure you want to do this.
- On enterprise machines using custom PKI, consult your IT admin before changing keys.
5. Bootloader or OS not properly signed (unsigned bootloader)
Why it causes problems
- Secure Boot only allows signed bootloaders/kernels; unsigned or self-signed boot components (typical for some Linux setups) will be blocked.
Step-by-step solution
For Windows:
- Repair the Windows bootloader: boot into Windows Recovery Environment and run:
- bootrec /fixmbr
- bootrec /fixboot
- bootrec /scanos
- bootrec /rebuildbcd
- Or recreate UEFI boot files: open Command Prompt from recovery and run bcdboot C:\Windows /l en-US /s S: /f UEFI (replace S: with your EFI system partition letter).
For Linux:
- Install a UEFI‑signed shim (distribution-specific) that is recognized by Secure Boot, or enroll the distro’s keys into firmware.
Notes
- Using a signed shim allows dual‑boot without breaking Secure Boot. Refer to your Linux distro’s Secure Boot documentation.
6. Outdated or buggy UEFI/BIOS firmware
Why it causes problems
- Firmware bugs or missing Secure Boot support can prevent Secure Boot from functioning correctly even if settings look correct.
Step-by-step solution
- Identify your motherboard/PC model (in System Information or from OEM label).
- Visit the OEM support site and find the latest BIOS/UEFI firmware for your model.
- Read the update instructions and release notes carefully.
- Follow vendor steps to update firmware (Windows updater, bootable USB, or built-in updater).
- After update, re-check UEFI Secure Boot settings and re-enable if necessary.
Notes
- Never power off during a firmware update. If uncomfortable, contact the vendor or a technician.
7. Unsigned or incompatible drivers
Why it causes problems
- Windows enforces driver signing; third‑party unsigned drivers or kernel modules can cause failures that look like Secure Boot problems.
Step-by-step solution
- Check driver signature status: run sigverif or use Device Manager to view problem devices.
- Update drivers from the official hardware vendor website.
- If a recent driver caused failure, roll back in Device Manager (right‑click device > Properties > Driver > Roll Back Driver).
- For troubleshooting, you can temporarily disable driver signature enforcement: hold Shift and click Restart > Troubleshoot > Advanced options > Startup Settings then choose Disable driver signature enforcement. (Not recommended for permanent use.)
Notes
- Prefer signed drivers; avoid disabling signature enforcement except temporarily to recover.
8. Third‑party boot managers or dual‑boot configurations
Why it causes problems
- Boot managers like older GRUB versions may not be signed or configured for Secure Boot, blocking startup.
Step-by-step solution
- If you need Windows only: restore Windows bootloader (see steps under Reason 5).
- If you want dual‑boot: use a signed shim bootloader (many distros provide this) and ensure the shim is enrolled or accepted in Secure Boot.
- For troubleshooting, temporarily disable Secure Boot to boot and then arrange for a signed shim or reinstall the boot manager correctly.
- Re-enable Secure Boot once signed components are installed.
Notes
- Dual‑boot setups require careful handling of keys and signed bootloaders.
9. BitLocker/TPM or Fast Startup interactions
Why it causes problems
- Changing Secure Boot or firmware settings can trigger BitLocker recovery (TPM measures change) or prevent entry into firmware due to Fast Startup.
Step-by-step solution
- Before firmware changes, suspend BitLocker: Control Panel > System and Security > BitLocker Drive Encryption > Suspend protection.
- Disable Fast Startup: Control Panel > Power Options > Choose what the power buttons do > Change settings that are currently unavailable then uncheck Turn on fast startup.
- If BitLocker recovery occurs after changes, use your recovery key to unlock the drive (find it at your Microsoft account or BitLocker recovery location).
- For TPM issues: open Windows Security > Device security > Security processor details to view TPM status. Clearing TPM should only be done if instructed and you have backups (clearing will delete keys).
Notes
- Always back up your BitLocker recovery key before firmware operations.
Precautions and Backup Recommendations
- Back up important data to an external drive or cloud before changing partition style, firmware, or Secure Boot keys.
- Suspend BitLocker before firmware updates or key restoration.
- Create a Windows recovery USB: Control Panel > Recovery > Create a recovery drive.
- If you’re using corporate hardware, consult IT — enterprise Secure Boot policies may be in place.
FAQ
Can I enable Secure Boot on very old PCs?
Most older PCs lack UEFI or have limited Secure Boot support. If your firmware only supports Legacy BIOS, Secure Boot is not available — consider hardware upgrade.
Will turning on Secure Boot break my Linux dual‑boot?
It can unless your Linux uses a signed shim or you enroll the distribution keys in firmware. Use distributions that support Secure Boot or configure shim/rEFInd correctly.
How can I check Secure Boot from the command line?
Open an elevated PowerShell and run Confirm-SecureBootUEFI (returns True/False) or in Command Prompt run bcdedit /enum {current} to inspect boot settings. msinfo32 also shows Secure Boot State.
Is Secure Boot the same as BitLocker?
No. Secure Boot ensures the integrity of the boot chain; BitLocker encrypts your drive. They complement each other but are separate technologies.
Can I add my own Secure Boot keys?
Yes, some firmwares allow custom key enrollment (Custom mode), but incorrect key management can lock you out—only do this if you understand PK, KEK, db, and dbx concepts or under IT guidance.
Conclusion
Most cases where Secure Boot doesn’t work in Windows 10 are due to firmware settings (Secure Boot off, Legacy/CSM mode) or mismatches between UEFI, partition style, and signed boot components. Check Secure Boot status, enable UEFI and Secure Boot, convert MBR to GPT if needed, restore factory keys, update firmware, and handle BitLocker carefully to resolve the issue.
