Secure Boot is enabled in BIOS, but Windows still says it is off

Trust the Windows reading first. The firmware screen can say Secure Boot is enabled, but Windows can still be booting in a mode where Secure Boot is not actually active. The common split is UEFI versus Legacy/CSM boot.

Before changing firmware settings, make sure you can get your BitLocker recovery key if BitLocker or Device Encryption is on. This is the step people skip, and it is the step that can turn a simple setting change into a locked-out PC.

1. Press Win + R, type msinfo32, and press Enter.
2. In System Summary, find BIOS Mode and Secure Boot State.
3. If BIOS Mode says Legacy, stop before changing boot mode or converting the disk. Windows may be installed in a boot layout that needs a planned MBR/GPT migration.
4. If BIOS Mode says UEFI and Secure Boot State is Off, enter firmware setup after checking BitLocker recovery access.
5. In firmware, look for CSM/Legacy Boot, Secure Boot, Secure Boot keys, and OS Type.
6. Disable CSM/Legacy, enable Secure Boot, and install default Secure Boot keys if the firmware offers that option.
7. Save, boot back into Windows, reopen msinfo32, and check the two lines again.

Read the result this way: Legacy BIOS Mode means Windows is not using the boot path Secure Boot needs. UEFI mode with Secure Boot Off usually points to firmware configuration, missing keys, the wrong OS Type, or a setting that did not save.

Do not clear TPM, change boot mode casually, convert the boot disk, or copy commands from random guides until you know whether Windows is Legacy or UEFI. Do not share recovery keys, firmware passwords, serial numbers, service tags, or full boot-device lists in public.

Stop here if BitLocker asks for a recovery key you do not have, the boot disk is MBR and Windows is installed in Legacy mode, the firmware settings do not save, or the PC fails to boot after a Secure Boot change.

Related Price2Click guide: /windows-secure-boot-certificates-expiring-2026/