Hi Dr. James Parker,

Regarding your concern about the "red flag," you can generally rest easy. While it is true that pre-built systems from major manufacturers (like Dell, HP, or Lenovo) are required by Microsoft to ship with Secure Boot enabled, custom-built PCs behave differently. Motherboard manufacturers often ship boards with Secure Boot disabled or in "Setup Mode" by default to maximize compatibility with a wide range of hardware, older graphics cards, and operating systems during the initial build process. It is likely your builder simply installed Windows and verified stability without taking the final step to lock down the boot process. It is less a sign of malice and more a sign of a standard, compatibility-first assembly process.

However, before you attempt to enable it, we must verify a critical prerequisite to prevent your system from becoming unbootable. Secure Boot strictly requires the UEFI boot mode and a GPT partition style hard drive. If your builder installed Windows in "Legacy" or "CSM" mode, enabling Secure Boot now will stop Windows from loading. To check this, press Windows + R, type msinfo32, and press Enter. Look for the line BIOS Mode. If it says UEFI, you are safe to proceed. If it says Legacy, do not enable Secure Boot yet; you would first need to convert your drive using the MBR2GPT tool, or Windows will fail to start.

Assuming your BIOS Mode confirms "UEFI," you can enable Secure Boot by restarting your computer and pressing the setup key (usually Del or F2) to enter the BIOS menu. Navigate to the Boot, Security, or Windows OS Configuration tab (this varies by motherboard brand like ASUS, MSI, or Gigabyte). You first need to find a setting called CSM (Compatibility Support Module) and ensure it is set to Disabled. Secure Boot cannot be active while CSM is enabled.

Once CSM is disabled, locate the Secure Boot option. If you toggle it to "Enabled" but it immediately reverts to "Disabled," or if the system reports it is in "Setup Mode," you need to load the factory encryption keys. Look for an option explicitly named Restore Factory Keys, Install Default Secure Boot Keys, or Change to User Mode. After installing these keys, the Secure Boot status should successfully switch to "Enabled." Save your changes (usually F10) and reboot.

I hope you've found something useful here. If it helps you get more insight into the issue, it's appreciated to accept the answer. Should you have more questions, feel free to leave a message. Have a nice day!

VP

You need to set Platform in "User Mode", Secure Boot in "Standard Mode" and Load Setup Defaults.

You could do it by Restoring Factory Keys:

1. BIOS - Security - Secure Boot - Restore Factory Keys - Enter
2. BIOS - Restart - OS Optimized Defaults - Enabled
3. BIOS - Restart - Load Setup Defaults - Enter
4. Go to BIOS - Main and check if UEFI Secure Boot is ON.

There are requirements to be met before you can try and change Secure Boot Status to Enabled. Before you begin, though, double check if you have the latest BIOS version.

Then your fight begins. First, you need to switch Platform Mode (one of the settings in your screenshot) to User mode. To do that you have to follow these steps:

1. Set Administrator Password (you can clear that password afterwards)
2. Clear Factory Keys (using the option in BIOS), then restart.

If Platform mode will not change, then you have to

3. clear keys in Windows (by running tpm.msc command)

If it didn't change still, then skip to the last paragraph. If it is now in User mode, but Secure boot is still disabled, then continue:

3. Re-set Secure Boot to enabled (that is: switch to Disabled, restart, get back to BIOS and set it to Enabled again).

If nothing works, then you need to make warranty claim - unfortunately this is quite common Lenovo issue, that allegedly is linked to poor manufacturing process and quality control.