Enabling Secure Boot on an MSI B450 Tomahawk Max requires switching the BIOS from CSM to UEFI mode and turning on the Secure Boot setting inside the Windows OS Configuration menu.
Secure Boot is a non-negotiable requirement for Windows 11 and a growing number of anti-cheat systems. On the B450 Tomahawk Max, the process takes about five minutes, but only if your system disk is formatted as GPT. If you skip that step, Windows won’t boot after the switch. How to enable Secure Boot on the B450 Tomahawk Max starts with one critical choice inside the BIOS: moving from Compatibility Support Module (CSM) to pure UEFI mode.
Enabling Secure Boot on an MSI B450 Tomahawk Max: The Core Steps
Enabling Secure Boot requires three things to align: the boot mode must be UEFI, the system drive must be GPT, and the Secure Boot toggle inside the BIOS must be turned on. MSI’s Click BIOS 5 places all of these options under the Settings menu, but the exact labels can shift slightly depending on the BIOS revision installed on your board.
Before you open the BIOS, check your disk layout. Open a Command Prompt and run msinfo32. Look for BIOS Mode. If it says Legacy, your disk is almost certainly MBR, and you’ll need to convert it before enabling UEFI.
Why Does Secure Boot Depend on CSM and UEFI Mode First?
The Compatibility Support Module (CSM) is an emulation layer that lets the motherboard boot old operating systems and expansion ROMs. Secure Boot was designed for the UEFI standard and cannot function in this legacy environment. If CSM is enabled, the Secure Boot option in the BIOS will either be hidden, grayed out, or revert to “off” after a reboot.
Switching to UEFI mode tells the motherboard to ignore the legacy BIOS interfaces and boot strictly according to the GPT partition table. This is the only environment where the Secure Boot protocol can verify signatures during the boot process.
How To Convert an MBR Disk to GPT Using MBR2GPT
If your system disk is MBR, you must convert it to GPT before switching to UEFI mode, or Windows will fail to boot. Windows 10 and 11 include a built-in conversion tool that handles the job without data loss, provided your disk meets the requirements.
- Open Command Prompt as Administrator (Win + R, type
cmd, press Ctrl + Shift + Enter). - Run
mbr2gpt /validate. If the tool reports the disk is valid for conversion, proceed. If it fails, you may need to shrink a partition or remove extra volumes. - Run
mbr2gpt /convert. The tool modifies the partition table silently in memory, then finalizes the change on the next reboot.
The after the conversion, the system boots normally, and msinfo32 now reads BIOS Mode: UEFI (once you change the BIOS setting below). The disk layout is ready for Secure Boot.
A Step-by-Step Guide to Secure Boot in MSI Click BIOS 5
The standard path through MSI’s BIOS lands on the setting fast. From the main BIOS screen, hit Settings > Advanced > Windows OS Configuration. Before touching Secure Boot, set BIOS CSM/UEFI Mode to UEFI. If the option is missing or grayed out, load the default UEFI keys first or reset the BIOS to UEFI-optimized defaults.
- Press Del repeatedly during boot to enter the BIOS.
- Navigate to Settings > Advanced > Windows OS Configuration.
- Change BIOS CSM/UEFI Mode to UEFI.
- Change Secure Boot to Enabled. Some BIOS versions list Windows 10 WHQL Support – set that to Enabled or UEFI if it appears.
- Press F10 to save and reboot.
- In Windows, press Win + R, type
msinfo32, and check that Secure Boot State reads On.
If the setting doesn’t stick, check that the Secure Boot mode is set to Standard (not Custom). This aligns with MSI’s official guidance for AM4 motherboards, which pairs Secure Boot with TPM 2.0 for full Windows 11 readiness.
Common Secure Boot Issues on the B450 Tomahawk (and Fixes)
The B450 Tomahawk Max is a mature board with a long BIOS history. Community walkthroughs and forum threads show a handful of recurring problems that trip users up.
| Situation | Likely Cause | Solution |
|---|---|---|
| Windows won’t boot after saving BIOS changes | Disk is MBR instead of GPT | Boot from Windows installation media, open Command Prompt, run mbr2gpt /convert. |
| Secure Boot option is grayed out | CSM/Legacy mode is still enabled | Set BIOS CSM/UEFI Mode to UEFI and reboot before enabling Secure Boot. |
| “Secure Boot State” shows “Unsupported” | Disk was installed in Legacy mode without updating the partition scheme | Run mbr2gpt /validate then /convert, switch to UEFI in BIOS. |
| BIOS menu labels are different | Older BIOS revision, or a beta UEFI build | Look for Settings > Boot and enable UEFI there. The Secure Boot toggle may be under Security. |
| Valorant or anti-cheat still blocks the system | Virtualization or fTPM is also required | Enable Settings > Security > Trusted Computing > Security Device Support. |
| Secure Boot toggle keeps switching back to “Off” | Secure Boot mode is set to “Custom” instead of “Standard” | Change Secure Boot Mode to Standard and install default factory keys. |
| Windows 11 setup says Secure Boot isn’t enabled | BIOS changes weren’t saved, or a hybrid boot mode is active | Re-enter the BIOS and confirm both UEFI mode and Secure Boot are clearly set to Enabled. |
What If Secure Boot Is Still Not Working?
If you’ve followed the steps and the toggle refuses to stick, reset the Secure Boot keys. Inside Windows OS Configuration, change Secure Boot Mode from Custom to Standard. Save and reboot, then re-enter the BIOS to enable it again. A clean slate for the key database fixes most stubborn cases.
Another angle: some B450 Tomahawk Max boards with older BIOS builds remove the CSM/UEFI switch location or hide Secure Boot behind a different menu tree. Flashing the latest stable BIOS from MSI’s support page resolves this and ensures the menus match current documentation. After the flash, load optimized defaults, then run through the UEFI + Secure Boot steps again.
| Task | Tool / Path | Details |
|---|---|---|
| Check boot mode and Secure Boot status | msinfo32 |
Look for BIOS Mode (UEFI or Legacy) and Secure Boot State (On or Off). |
| Convert MBR to GPT | mbr2gpt in Command Prompt (Admin) |
Run mbr2gpt /validate first. If successful, run mbr2gpt /convert. |
| Enable TPM 2.0 | BIOS > Settings > Security > Trusted Computing | Set Security Device Support to Enabled. Verify in Windows with tpm.msc. |
| Reset Secure Boot keys | BIOS > Windows OS Configuration | Set Secure Boot Mode to Standard and install default keys. |
| Reset BIOS to factory defaults | BIOS > Save & Exit > Restore Defaults | Use this if options become grayed out or the system refuses to boot after changes. |
| Flash the latest BIOS | MSI Live Update or USB Flashback | Fixes missing UEFI options and menu layout inconsistencies from older BIOS builds. |
Checklist: Secure Boot Enabled on Your MSI B450 Tomahawk Max
- Converted the system disk to GPT if it was MBR (
mbr2gpt /convert). - Disabled CSM/Legacy mode and set the boot stack to UEFI.
- Enabled Secure Boot inside Windows OS Configuration.
- Enabled Security Device Support (TPM 2.0) for full Windows 11 compatibility.
- Verified with
msinfo32that Secure Boot State reads On.
References & Sources
- MSI Official Blog. “How to Enable Secure Boot and TPM 2.0 on MSI AM4 Motherboards” Official steps for enabling Secure Boot and TPM on MSI AM4 boards, including the B450 Tomahawk Max.
