US Trends

secure boot can be enabled when in user mode

“Secure boot can be enabled when system is in user mode” is a UEFI/BIOS message that means Secure Boot is not yet fully configured and your firmware is still in Setup Mode , not User Mode.

What the message really means

  • Secure Boot has two states in firmware:
    • Setup Mode : No Platform Key (PK) is enrolled, Secure Boot is effectively off.
* **User Mode** : A Platform Key is enrolled, so Secure Boot can actually be turned on.
  • The message is telling you: “Enroll a Platform Key (PK) first; only then can Secure Boot be enabled.”

Key concepts in simple terms

  • Secure Boot : A UEFI feature that only lets signed, trusted bootloaders and OS components run at startup, blocking unknown or tampered code.
  • Platform Key (PK) :
    • A special signature stored in firmware that tells the system which authority to trust at boot.
* Once enrolled, firmware switches from Setup Mode → User Mode automatically.
  • Setup vs User Mode :
    • Setup Mode: Configuration phase, keys not set, Secure Boot disabled.
* User Mode: Keys present, Secure Boot can be enabled and enforced.

How to actually fix it (high‑level steps)

Exact names/paths differ slightly between ASUS, MSI, Gigabyte, Lenovo, etc., but the logic is the same on all: get out of Setup Mode by loading/enrolling keys, then enable Secure Boot.

  1. Enter UEFI/BIOS
    • Restart and press your vendor key (often Del, F2, F10, Esc) to open firmware setup.
  1. Find Secure Boot settings
    • Usually under: Security, Boot, or Authentication menus.
  1. Switch Secure Boot mode to “Custom” (if available)
    • Many boards show “Standard/Default” vs “Custom”; pick Custom so key options appear.
  1. Enroll or load keys (critical step)
    • Look for something like:
      • “Enroll Platform Key (PK)”
      • “Load default Secure Boot keys”
      • “Enroll all factory default keys”
 * Confirm to enroll/load the default keys from the motherboard/PC vendor.

 * Once done, the system moves from Setup Mode → User Mode.
  1. Enable Secure Boot
    • Now change Secure Boot to Enabled.
 * Optionally switch mode back from Custom → Standard if the firmware recommends it.
  1. Save & reboot
    • Save changes and restart. The error should disappear; Secure Boot should show as Enabled and “User Mode” in information screens.

Why games and Windows sometimes “force” this

  • Some anti‑cheat systems and modern Windows security baselines expect Secure Boot to be active, so players see this message when trying to comply for games like Valorant or certain EAC titles.
  • Modern Windows UEFI installs (especially on TPM‑equipped systems) are designed to work well with Secure Boot enabled to reduce rootkits and boot‑level malware.

Quick FAQ style notes

  • Can this be done from Windows only?
    No. Switching from Setup Mode to User Mode and enrolling the PK is done in firmware setup, not from inside Windows.

  • What if the options look different?
    Vendor wording changes, but you are always looking for:

    • Secure Boot menu.
    • A way to load or enroll default keys (PK/KEK/DB, often “factory defaults”).
  • Is it safe to “Load default keys”?
    On an unmodified consumer board running a normal Windows or mainstream Linux install, loading factory default Secure Boot keys is the standard, expected action to enable Secure Boot.

TL;DR: The message means your firmware is still in Setup Mode with no Platform Key. Enter BIOS, go to Secure Boot, load/enroll default keys (PK) so the system switches to User Mode , then enable Secure Boot and save.

Information gathered from public forums or data available on the internet and portrayed here.