What happens if I disable Secure Boot: risks, uses, and how to do it right

If you're wondering what happens when you disable Secure Boot This is probably because you encountered a warning when trying to boot from a USB of a distro LinuxBatocera or another unsigned system. Don't worry: it's a very common question and there's an explanation. Here you'll find out exactly what this function is, when it's best to turn it off, how to do it step by step, and what real implications it has for security, compatibility, and startup.

Furthermore, You'll see practical examples like installing older Linux, Batocera, or Windows systems....as well as what you should know if you have Windows 11: UEFI, Secure Boot and TPM 2.0 go hand in hand. We also review typical situations in ASUS BIOS/UEFI and how to fix the Secure Boot Not Active status by restoring the factory keys.

What is Secure Boot and why does it exist?

Secure Boot, or secure boot, is a feature of UEFI firmware that It allows the computer to only run signed and trusted software during startup.These are typically supported by manufacturer-backed keys, and on Windows PCs, by Microsoft. Their purpose is to prevent bootkits, rootkits, or modified loaders from loading before the operating system.

With the arrival of UEFI in the Windows 8 era, Secure Boot became a pillar of the boot chainThis control prior to the operating system itself has been especially useful against malware persistent that gets stuck in the startup process, but it brought with it a consequence: if something is not signed with the keys accepted by the firmware, it does not start.

How does this affect Linux and other systems? For years it was a headacheThis was because many distributions lacked bootloaders signed by Microsoft. Today, several distributions, such as 64-bit Ubuntu, include signed shim/GRUB and are compatible; however, not all are, and on some systems, crashes still occur if the keys or firmware mode don't match.

There is another important nuance: with Windows 10 Microsoft stopped requiring manufacturers to make Secure Boot disableable.This means that, depending on the device, you may be able to turn it off… or you may not. It depends on your motherboard or laptop, and what the OEM has decided in its UEFI settings.

What happens if you disable Secure Boot?

The first: You won't damage the hardware or "break" the system by disabling itIt's a firmware setting. Removing Secure Boot reduces boot protection, but it doesn't make any physical changes or degrade components. The impact is on security: you lose the barrier that prevents unverified software from booting.

Now, Disabling it may be necessary and legitimate in various scenarios. For example, to boot unsigned systems (Batocera, some Linux distributions, diagnostic tools) or when trying to use older versions of Windows that are not compatible with Secure Boot.

In the real world it happens a lot: you try to start Batocera from USB and you get an ugly secure boot message. Turning off Secure Boot usually unlocks the USB drive from booting. And it will allow you to try or install without that prior restriction. However, it's advisable to reactivate it when you're finished if you're going to use Windows as your main operating system.

It should be remembered that Secure Boot is not a substitute for antivirus software or good practices.It's a boot integrity check. Disabling it doesn't automatically expose you to disaster, but it opens a window that low-level malware could exploit if your computer is compromised.

When is it appropriate to keep it activated?

If you use Windows 10 or 11 as your main system and don't need alternative tools or systems, The sensible thing to do is to leave Secure Boot enabled.It's an extra layer against threats that manipulate the boot process, helps with the stability of the boot chain, and shouldn't interfere with your day-to-day operations.

It is also preferable Keep it active on managed or sensitive equipment. (office automation, work, study) where the priority is to ensure the integrity of the startup and compliance with the manufacturer's or organization's safety requirements.

How to disable Secure Boot (two ways)

The setting is in the UEFI/BIOS. You can access it from Windows or with a key at startup.The exact route varies depending on the manufacturer, but there are common patterns.

Direct UEFI/BIOS access with key: When you turn on your PC, press the key indicated on the startup screen. It's usually F1, F2, F12, or Esc, and on some older desktop computers, it's Delete. If the startup is quick, try several times. or enable POST delay in the settings.

From Windows (Advanced Startup): Go to Settings > Update & Security > Recovery and tap Restart now under Advanced startup. After restarting, choose Troubleshoot > Advanced options > UEFI Firmware SettingsAccept to restart again and you will enter the UEFI.

Once inside the UEFI, locate Secure Boot. It's usually found in tabs like Security, Boot, or AuthenticationSelect Secure Boot and change the value from Enabled to Disabled. Save and exit (usually with F10) to apply the changes and restart.

Important note: If you use BitLocker or Device Encryption, When changing boot options, the drive may ask for the recovery key. on the next startup. Have your password handy before touching these settings and consult our diagnosis of starting problems so you don't get stuck.

Specific notes for ASUS motherboards and laptops

On many ASUS computers, You enter the UEFI with F2 While powering on, press F7 for Advanced Mode. Look for Security > Secure Boot and enter Secure Boot Control. There you can set it to Enabled or Disabled. Save with F10 and restart for the changes to take effect.

On some ASUS desktops, The option appears as OS TypeWindows UEFI mode (enables Secure Boot) or Other OS mode (disables it). If you switch between these modes, the Secure Boot status changes accordingly, so you should save and exit for the changes to take effect.

If you see Secure Boot Not active, Enables Secure Boot control and restores factory keys. In portable And AIO, you can go to Key Management, choose Reset To Setup Mode and then Restore Factory Keys. On desktop computers, sometimes you need to set Secure Boot Mode to Custom, clear keys (Clear Secure Boot Keys) and install the default ones (Install Default Secure Boot Keys).

In the MyASUS interface in UEFI, the steps are very similarEnable Secure Boot Control, enter Key Management, press Reset to Setup Mode, and then Restore Factory Keys. Save changes with F10 to activate them after restarting.

How to re-enable Secure Boot

If you disabled it to install a graphics card, operating system, or tool, You can reactivate it by following the same path until you reach the Secure Boot setting. Switch to Enabled and save with F10.

On some devices, to reactivate it You will need to select Custom mode and load the keys. incorporated by the manufacturer. If you can't enable it, try resetting the UEFI to factory settings and repeat the activation.

If the computer does not start after enabling Secure Boot, Go back to the UEFI and temporarily disable it.This usually indicates that the system you are trying to start is not signed or that a trusted key is missing from the UEFI database. If the problem persists, see how Repair the boot process with Bootrec.

Linux, dual booting, and the Batocera case

With Linux, the situation has improved: Some modern distributions support Secure Boot and they boot without any modifications (for example, Ubuntu 64-bit with a signed shim). However, other unsigned distributions or tools remain locked, and that's where disabling Secure Boot makes things much easier.

Batocera, focused on retro-gaming, It usually boots from USB.If you see the Secure Boot message and error screen when trying to boot, disabling this feature will allow you to try or install it. This isn't unusual or bad: it simply means the bootloader isn't signed with keys that your UEFI recognizes.

Lasting consequences? There are no permanent effects on the hardware or softwareIt's a boot policy switch. Just remember to re-enable it if you return to your usual Windows installation and want to restore that pre-boot protection layer.

On devices where the manufacturer does not allow it to be disabled, Consider using distributions that support Secure Boot or check if the OEM offers firmware updates with updated keys that add support for more chargers.

Windows 7: nostalgia yes, but with nuances

Many people try to install Windows 7 out of nostalgia, and you find screenshots or restarts. If you need to start in safe modeThat guide might help, but disabling Secure Boot is almost essential to try, because Windows 7 was designed for BIOS/Legacy and not for modern Secure Boot. However, disabling the boot lock doesn't guarantee that you'll avoid blue screens.

Why? Drivers and supportWindows 7 reached its end of support in January 2020. Modern hardware lacks native drivers (USB 3.0, NVMe, recent chipsets), which can lead to installation errors or instability. Furthermore, its security is inferior and it no longer receives patches.

If you still try, You may need to enable CSM/legacy compatibilityprepare a USB drive with injected drivers, and even forma tear the disc a MBRNone of this is recommended on a primary computer: it complicates startup and compromises modern security features.

Therefore, The reasonable recommendation is to use Windows 10 or 11If your goal is simply to run classic software, consider a virtual machine or compatibility mode on a supported system.

Windows 11: UEFI, Secure Boot and TPM 2.0

Windows 11 requires UEFI, TPM 2.0 and Secure Boot support. After updating or resetting your BIOS, UEFI, Secure Boot, or fTPM/AMD PSP TPM may be disabled. and you have to reactivate them manually. It's not uncommon for the default settings not to leave them enabled, even in BIOSes that support Windows 11.

Will Windows 11 start if they are disabled? It can start if it was already installed.However, you'll fall outside the security requirements and could encounter issues with some updates or validations. Ideally, you should re-enable UEFI (booting without CSM), Secure Boot, and TPM 2.0 in the UEFI.

If you switch to pure UEFI and the computer stops finding Windows, Your disk might still be in MBR format.You can convert it to GPT without formatting using the Microsoft tool mbr2gpt. First, verify it as follows: mbr2gpt /validate /disk:0 /allowfullOSIf the validation is successful, perform the conversion using the corresponding command and reboot into UEFI mode. For boot conversion and repair instructions, see how. analyze and repair the startup.

Keep in mind that Enabling CSM usually disables Secure Boot and may require MBR and reinstallation. Avoid mixing CSM with Windows 11: rely on UEFI, GPT, and TPM to maintain compatibility and security.

BitLocker and other warnings when touching the UEFI

If your disk is encrypted, Modifying boot options may trigger the recovery screen BitLocker or Device Encryption. Make sure you have located your key in your Microsoft account or on the corporate portal before changing anything.

Some manufacturers They update the trusted key database with new firmware versions. Keep your UEFI up to date to expand compatibility and reduce secure boot warnings with legitimate, signed software.

Solution: Secure Boot appears as Not Active

If you see the status as Not Active even though you have it enabled, restores Secure Boot keys from the UEFI. The typical procedure is to go to Security > Secure Boot > Key Management and use Reset To Setup Mode followed by Restore Factory Keys. Save and restart.

Desktop with advanced options, Use Custom mode to clean and install the default keysClear Secure Boot Keys and then Install Default Secure Boot Keys. After that, re-establish standard mode if it exists, enable Secure Boot, and save changes.

What if I can't find the option or it won't let me disable it?

As we commented, Some devices do not expose the switch. To disable Secure Boot, or to hide it depending on the firmware mode. Try switching between Simple/Advanced modes (F7 on many ASUS devices) and check Security/Boot/Authentication.

If it doesn't appear at all, It's possible the manufacturer has blocked it.In that case, you will only be able to use compatible systems signed with the present keys; contact OEM support to confirm if there is an alternative firmware that allows it.

Compatibility with graphics cards and other devices

There are scenarios in which Installing certain GPUs or hardware may force Secure Boot to be disabled temporarily. If your device doesn't boot with Secure Boot enabled after the change, try disabling it, installing the device, and then re-enabling it to see if everything works.

Remember some third-party diagnostic or installation utilities They are also unsigned and will be locked with Secure Boot. Booting from USB with these tools usually requires temporarily disabling Secure Boot.

Good practices to avoid confusion

Before you touch anything Note the current status of UEFI/CSM, Secure Boot, and TPM.Take photos of the settings with your mobile phone if necessary: ​​this will help you revert changes if something doesn't go as planned.

If your goal is to dual boot with Linux, Start with a Secure Boot compatible distro And only turn it off if absolutely necessary. This reduces friction with Windows 10/11 and prevents you from losing pre-boot protection.

When the Secure Boot status does not match what you see, Restoring keys is usually the solutionAnd remember to save changes with F10 or from the Save and Exit menu so that UEFI applies the new policy.