You're seeing "Secure Boot enabled but not active" — meaning Secure Boot is turned on in the BIOS/UEFI, but Windows (or your boot process) reports that it isn't actively enforcing the Secure Boot checks. This can happen due to BIOS modes, CSM/Legacy boot settings, or missing platform keys. Here’s a practical guide to diagnose and fix it safely. What to check first

• Boot mode vs. Secure Boot mode
  • Ensure the system is using UEFI boot mode, not Legacy/CSM. If CSM is enabled, Secure Boot may appear as inactive or not enforceable.
  • If your BIOS shows Secure Boot Mode as “Setup,” Secure Boot isn’t fully active. You may need to switch it to “User” or a similar active state.
• CSM (Compatibility Support Module)
  • Disable CSM to enable full Secure Boot enforcement. After disabling, recheck Secure Boot status and save changes.
• Platform keys
  • Some systems require the default platform keys to be installed for Secure Boot to be considered active. If keys are missing or corrupted, Secure Boot may report as enabled but not active.
• TPM and Windows support
  • Windows 11 (and some features) require TPM 2.0 and Secure Boot to be active. Verify TPM is enabled in BIOS and that Windows reports TPM 2.0 as active.

What to do (step-by-step)

• Enter BIOS/UEFI setup on startup (often Delete, F2, or F10 depending on the manufacturer).
• Navigate to Boot or Security/Authentication sections:
  • Check Boot Mode: switch to UEFI only (disable Legacy/CSM if present).
  • Secure Boot: open Secure Boot options.
    • If Secure Boot Mode is set to Setup, change it to Enabled or User (activating Secure Boot).
    • If there is a “Key Management” or “Platform Key” option, ensure keys are installed; select “Default Settings” or “Enroll All Factory Keys” if available.
• Save changes and reboot.
• In Windows, verify Secure Boot status:
  • Run the System Information tool (msinfo32) and look at Secure Boot State. It should say Active, not Off or Unsupported.
  • If Windows still reports inactive, re-enter BIOS and recheck that Secure Boot is Enabled and in the correct mode, then save and exit again.

Common pitfalls and notes

• Some laptops/boards require a BIOS firmware update to fully support Secure Boot with the current Windows version. Check the manufacturer’s support site for a recent firmware update.
• If Windows was installed with Legacy/CSM enabled, switching to UEFI Secure Boot after installation can cause boot issues. In such cases, you may need to convert the disk from MBR to GPT and/or reinstall Windows while in UEFI mode.
• If you completely cannot get Secure Boot to Active, consider contacting the device manufacturer or consulting the BIOS manual for model-specific steps, as implementations vary.

When to seek additional help

• If changing Secure Boot settings requires an irreversible action (e.g., changing keys, reconfiguring boot modes) and you’re unsure, contact the device manufacturer’s support.
• If you’re using disk encryption (e.g., BitLocker) or anti-cheat software, ensure Secure Boot is properly active to avoid compatibility issues.

Direct answer
To resolve Secure Boot being enabled but not active, ensure the system boots in pure UEFI mode (disable CSM/Legacy boot), set Secure Boot to an active state (not Setup), and confirm platform keys are installed. After saving the BIOS changes, verify in Windows that Secure Boot State is Active via the System Information tool. If the status remains inactive, update BIOS/firmware and re-check or contact the device manufacturer for model-specific guidance.