The message "Secure Boot can be enabled when system in User Mode. Repeat operation after enrolling Platform Key (PK)" means that your system currently is in Setup Mode, where Secure Boot is disabled because no Platform Key is installed. To enable Secure Boot, you need to enroll the Platform Key in the BIOS, which switches the system from Setup Mode to User Mode and allows Secure Boot to be enabled. Here are the general steps to resolve this:
- Enter your BIOS/UEFI settings during system startup (by pressing keys like Del, F2, or Esc depending on your motherboard).
- Navigate to the Security or Boot tab.
- Disable CSM (Compatibility Support Module) if enabled, as Secure Boot usually requires CSM to be disabled.
- Look for Secure Boot settings, then set Secure Boot Mode to Custom.
- Find a Key Management option and enroll the Platform Key (often via "Enroll all factory default keys" or "Install Default Secure Boot Keys").
- Confirm the enrollment, after which your system will switch to User Mode.
- Set Secure Boot to Enabled.
- Save and exit BIOS, then reboot.
After enrolling the Platform Key, repeat the action to enable Secure Boot. The system will now trust only signed bootloaders, protecting against unauthorized software at startup. This process is necessary because Secure Boot relies on cryptographic keys stored in firmware to validate the integrity of the bootloader, and the Platform Key is the foundation key that establishes this trust. If Secure Boot is attempted to be enabled before enrolling the Platform Key, the system remains in Setup Mode and cannot enable Secure Boot until the key is enrolled. This explanation and procedure applies broadly across different motherboard brands like ASRock, MSI, Gigabyte, and NZXT, though exact BIOS menu names can vary slightly.
