You enabled Secure Boot in BIOS, saved the settings, rebooted — and it's off again. This is one of the most frustrating Secure Boot problems because it looks like the setting is saving, but it isn't actually sticking. There are five distinct causes, and each has a specific fix. Diagnose before you trial-and-error your way through them.
Why Would Secure Boot Keep Reverting?
Secure Boot state lives in NVRAM and depends on a clean UEFI environment. It will revert if any of the following are true: BIOS settings aren't truly being saved, the CMOS battery is dying, a CSM conflict is forcing a reset on each boot, unsigned hardware is resetting the state, or your BIOS firmware has a bug. Identify which one applies before trying fixes — fixing the wrong cause wastes time and can mask the real problem.
Cause 1 — CSM (Legacy Mode) Is Still Enabled
When CSM is enabled alongside Secure Boot, some motherboards will automatically disable or reset Secure Boot on each boot cycle because the two modes are fundamentally incompatible.
Fix:
- Enter BIOS and disable CSM / Legacy Support.
- Enable Secure Boot.
- Save changes (F10), reboot, then re-enter BIOS to verify both settings held.
Important: disabling CSM requires your system drive to be GPT. If your drive is still MBR, disabling CSM will cause a boot failure on the next restart. Confirm partition style in Disk Management before making this change.
Cause 2 — BIOS Is Not Actually Saving Settings
Some motherboards require you to exit specifically via "Save & Exit" — just pressing ESC or powering off doesn't write the changes to NVRAM. The BIOS shows your edits, but they never persist.
Fix:
- Always exit using the explicit Save & Exit option (typically F10).
- Check whether your board has a BIOS administrator password or BIOS lock set — these can silently block changes from being written even when the UI accepts them.
Cause 3 — Dead or Weak CMOS Battery
The CMOS battery is a flat coin-cell battery (usually CR2032) on the motherboard. It maintains BIOS settings — including Secure Boot state — when the system is unplugged from power. If it's dead or failing, the BIOS resets to factory defaults on every cold boot, which turns Secure Boot back off.
Fix: Replace the CMOS battery. They cost under $5 and take about a minute to swap on a desktop.
How to test: Unplug the PC for an hour, then boot. If the system clock has reset, fan curves have reverted, or boot order has changed — your CMOS battery is the problem.
Cause 4 — Connected Device or PCIe Card Is Unsigned
Older GPUs, add-in cards, or bootable USB devices with unsigned firmware can cause UEFI to drop Secure Boot state when it detects them at boot. The firmware sees an unsigned option ROM and refuses to keep Secure Boot enabled.
Fix:
- Unplug all non-essential USB devices and remove non-essential PCIe cards.
- Re-enable Secure Boot and reboot.
- If it holds, re-add devices one at a time until you find the one that triggers the reset.
Cause 5 — Outdated BIOS Firmware
Some early UEFI firmware versions had bugs where Secure Boot state didn't persist correctly. All three major brands — ASUS, MSI, and Gigabyte — have shipped firmware updates over the years specifically to address Secure Boot stability.
Fix:
- Look up your exact motherboard model on the manufacturer's website and check for a newer BIOS version.
- Read the release notes — look for entries mentioning Secure Boot, NVRAM, or UEFI stability.
- Flash with caution. Use a UPS on desktops. Never flash a laptop running on battery.
After Fixing — Verify Secure Boot Is Truly Enabled
- Press Win + R, type
msinfo32. Secure Boot State should read On. - Open PowerShell and run:
Confirm-SecureBootUEFI. It should return True. - If it returns False or an error, Secure Boot is not active despite what BIOS shows.
Still Reverting After All of This?
If none of the five causes apply, the problem is deeper. Corrupted Secure Boot certificates or a damaged EFI System Partition can cause UEFI to reject its own state and silently disable Secure Boot on every boot. This is not a BIOS toggle issue — it's a repair job that involves EFI partition reconstruction and certificate re-enrollment.
SecureBootFix handles this automatically: it detects the root cause and repairs the correct layer without manual registry edits or diskpart work. No guesswork, no risk of corrupting the partition during repair.
Wrapping Up
Most cases are solved by one of the five causes above — and the CMOS battery one catches people off guard every time. If you've worked through them all and Secure Boot is still reverting, the issue is at the EFI or certificate layer. That's exactly what the toolkit is for.