![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(227.2, 46%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDJ%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 16%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EV%3C/text%3E%3C/svg%3E)
Hi Dr. James Parker,
Regarding your concern about the "red flag," you can generally rest easy. While it is true that pre-built systems from major manufacturers (like Dell, HP, or Lenovo) are required by Microsoft to ship with Secure Boot enabled, custom-built PCs behave differently. Motherboard manufacturers often ship boards with Secure Boot disabled or in "Setup Mode" by default to maximize compatibility with a wide range of hardware, older graphics cards, and operating systems during the initial build process. It is likely your builder simply installed Windows and verified stability without taking the final step to lock down the boot process. It is less a sign of malice and more a sign of a standard, compatibility-first assembly process.
However, before you attempt to enable it, we must verify a critical prerequisite to prevent your system from becoming unbootable. Secure Boot strictly requires the UEFI boot mode and a GPT partition style hard drive. If your builder installed Windows in "Legacy" or "CSM" mode, enabling Secure Boot now will stop Windows from loading. To check this, press Windows + R, type msinfo32, and press Enter. Look for the line BIOS Mode. If it says UEFI, you are safe to proceed. If it says Legacy, do not enable Secure Boot yet; you would first need to convert your drive using the MBR2GPT tool, or Windows will fail to start.
Assuming your BIOS Mode confirms "UEFI," you can enable Secure Boot by restarting your computer and pressing the setup key (usually Del or F2) to enter the BIOS menu. Navigate to the Boot, Security, or Windows OS Configuration tab (this varies by motherboard brand like ASUS, MSI, or Gigabyte). You first need to find a setting called CSM (Compatibility Support Module) and ensure it is set to Disabled. Secure Boot cannot be active while CSM is enabled.
Once CSM is disabled, locate the Secure Boot option. If you toggle it to "Enabled" but it immediately reverts to "Disabled," or if the system reports it is in "Setup Mode," you need to load the factory encryption keys. Look for an option explicitly named Restore Factory Keys, Install Default Secure Boot Keys, or Change to User Mode. After installing these keys, the Secure Boot status should successfully switch to "Enabled." Save your changes (usually F10) and reboot.
I hope you've found something useful here. If it helps you get more insight into the issue, it's appreciated to accept the answer. Should you have more questions, feel free to leave a message. Have a nice day!
VP
