Enable Secure Boot on an ASUS Prime motherboard by switching to Advanced Mode in the BIOS and setting OS Type to Windows UEFI mode.
Secure Boot is an important security standard that prevents unsigned or malicious software from loading during the startup process. On an ASUS Prime motherboard, the setting lives a few layers deep in the UEFI BIOS, but toggling it on takes less than two minutes once you know the exact menu path.
This walks through how to enable Secure Boot on an ASUS Prime system step by step, covering the typical BIOS layout and what to do if the option is grayed out or unavailable.
What Is Needed Before Enabling Secure Boot?
Secure Boot requires a UEFI-based system and a compatible operating system like Windows 10 or 11. If your ASUS Prime board is still using Legacy or CSM boot mode, Secure Boot will not be available until you switch to UEFI.
Before starting, make sure Windows is installed on a GPT drive. If the drive uses the older MBR layout, the system will not boot after Secure Boot is enabled without converting it first.
Step-By-Step: Enabling Secure Boot On An ASUS Prime Motherboard
The standard procedure to enable Secure Boot on an ASUS Prime motherboard involves changing a single setting in the BIOS. ASUS officially documents this path for its motherboard lineup, and the steps are consistent across most modern Prime models.
- Shut down your PC completely.
- Press the Power button and immediately tap the F2 or Delete key to enter the BIOS setup.
- If you land on the EZ Mode screen, press F7 to switch to Advanced Mode.
- Navigate to the Boot tab using the arrow keys. On some ASUS Prime BIOS layouts, the Secure Boot settings are located under the Security tab.
- Find the Secure Boot menu and enter it.
- Locate the OS Type option. The default is typically set to Other OS.
- Change OS Type from Other OS to Windows UEFI mode.
- Press F10 to save the changes and exit. Confirm with OK.
Your system will reboot. Secure Boot is now enabled. You can verify the change in Windows using the msinfo32 tool covered later in this article.
Enabling Secure Boot Through Key Management (Alternative Path)
If the OS Type setting alone does not trigger Secure Boot, ASUS documents a secondary path using the Key Management submenu. This route is useful for custom-built systems or after hardware changes that clear the factory key database.
- Follow steps 1 through 5 above to reach the Secure Boot menu.
- Set Secure Boot Control to Enabled.
- Go into the Key Management submenu.
- Select Clear Secure Boot Keys to enter Setup Mode.
- Select Install Default Secure Boot Keys to load the factory key database.
- Press F10 to save and exit.
This method rebuilds the signature database from scratch, which resolves most key-related Secure Boot failures.
| Setting | Secure Boot State | Typical Use Case |
|---|---|---|
| OS Type = Windows UEFI mode | On (Enabled) | Standard Windows 10/11 installation with UEFI boot. |
| OS Type = Other OS | Off (Disabled) | Linux, legacy boot, or non-UEFI boot media. |
| Secure Boot Control = Enabled | On | Used in tandem with Key Management for custom setups. |
| Secure Boot Control = Disabled | Off | Default state for troubleshooting or older hardware compatibility. |
Why Is Secure Boot Grayed Out Or Unavailable?
The most common reason Secure Boot is grayed out on an ASUS Prime motherboard is that CSM (Compatibility Support Module) is enabled. Secure Boot strictly requires a pure UEFI boot mode, and CSM emulates legacy BIOS, which directly conflicts with the security protocol.
To fix this, go to the Boot tab in Advanced Mode and set CSM to Disabled. Save with F10, re-enter the BIOS, and the Secure Boot menu options should now be fully accessible.
Disabling CSM will prevent your system from booting from legacy MBR drives. Windows must be installed in UEFI/GPT mode. If you disable CSM and the system fails to boot, re-enable CSM. Then convert the boot drive to GPT using Windows’ mbr2gpt.exe tool before disabling CSM again.
Less common causes include a missing or corrupted key database. Running the Install Default Secure Boot Keys routine described earlier usually resolves that.
| Problem | Likely Cause | The Fix |
|---|---|---|
| Secure Boot option is grayed out | CSM / Legacy Boot is enabled in the BIOS. | Disable CSM in the Boot tab. |
| Boot error after enabling Secure Boot | Windows is installed in Legacy/MBR mode. | Re-enable CSM, convert disk using mbr2gpt.exe, then disable CSM. |
| “Secure Boot Violation” on startup | Boot keys are corrupted or non-standard. | Go to Key Management and select Install Default Secure Boot Keys. |
| Secure Boot shows “Off” in Windows | OS Type is set to “Other OS” OR Secure Boot Control is disabled. | Set OS Type to Windows UEFI mode and save. |
How To Verify Secure Boot Is Enabled In Windows
Once you have saved the BIOS settings and booted into Windows, confirming that Secure Boot is active takes just a few seconds. ASUS itself recommends this verification method.
- Press Win + R, type
msinfo32, and press Enter. - Look for Secure Boot State in the System Summary list.
- If it reads On, Secure Boot is enabled and working correctly.
ASUS’s official Secure Boot configuration guide documents this same verification step and covers the BIOS settings in more detail.
Verifying Your Final Secure Boot Configuration
After finishing the setup, the system should pass these checks:
- System boots in UEFI mode (CSM is disabled).
- Windows is installed on a GPT drive.
- BIOS is set to Advanced Mode (F7).
- OS Type is changed to Windows UEFI mode.
- Changes are saved with F10 before exiting.
- Secure Boot State reads “On” in msinfo32.
If the system passes all of these, Secure Boot is running as intended on your ASUS Prime motherboard.
References & Sources
- ASUS. “How to enable or disable Secure Boot” Official ASUS motherboard FAQ detailing the standard Secure Boot configuration process.
- ASUS. “How to Enable/Disable Secure Boot” Official ASUS notebook and general BIOS FAQ covering the F7 Advanced Mode path and key management.