Secure Boot needs UEFI mode, disabled CSM Support, and factory keys installed—on Gigabyte boards it only shows as Active once all three are in place.
Most Gigabyte motherboards leave CSM Support enabled out of the box, and as long as that setting is on, the Secure Boot option stays hidden or grayed out. Flip that one switch, work through the key management menu, and the whole feature comes to life. Whether you are tightening system security or ticking the Windows 11 requirement box, how to enable Secure Boot on a Gigabyte motherboard follows the same sequence every time.
What You Need Before Enabling Secure Boot
Secure Boot only works when the motherboard is in UEFI mode and the system disk uses GPT. Open msinfo32 in Windows and check two fields before touching the BIOS.
- BIOS Mode must read UEFI. If it says Legacy, the system was installed in legacy mode and will need a clean Windows install set to UEFI.
- The system disk must use GPT (GUID Partition Table), not MBR. Right-click the disk in Disk Management, pick Properties > Volumes, and check the partition style. An MBR disk can be converted with MBR2GPT.exe or migrated during a fresh install.
GIGABYTE’s official FAQ also recommends backing up important data before making firmware changes, since a wrong setting can stop Windows from booting entirely.
Enabling Secure Boot On Gigabyte: The Menu Path That Works
These steps apply to GIGABYTE AM4, sTRX4, and 300-series motherboards. The exact menu labels may shift slightly between BIOS versions, but the core route is the same.
- Enter the BIOS. Restart the system and press the Delete key repeatedly during startup until the BIOS screen appears.
- Switch to Advanced Mode. Press F2 or click the Advanced Mode button to exit the simplified view.
- Disable CSM Support. Go to Boot > CSM Support, set it to Disabled, and save your changes with F10. The system will reboot.
- Re-enter the BIOS. Press Delete again to get back into the firmware.
- Open the Secure Boot menu. Navigate to Boot > Secure Boot. If you do not see this option, check under the Security tab instead—some BIOS revisions place it there.
- Set Secure Boot Mode to Custom. Choose Custom rather than Standard. This makes the key management options visible.
- Restore Factory Keys. Select Restore Factory Keys (sometimes labeled Install Factory Default Keys) and confirm when prompted. This step is what actually activates Secure Boot.
- Save and Exit. Press F10, confirm the changes, and let the system reboot normally.
Why Does Secure Boot Show Enabled But Not Active?
This is the most common issue on Gigabyte boards. You enable Secure Boot, the BIOS says Enabled, but the status below it still reads Disabled or Not Active. The root cause is almost always the same: the firmware needs factory keys installed before Secure Boot becomes Active.
Go back into the BIOS at Boot > Secure Boot, change Secure Boot Mode to Custom if it is still on Standard, then use Restore Factory Keys. After a save and reboot, the status should flip to Active. If it does not, run the restore process once more—some BIOS versions require a second pass before the keys take hold.
How Do You Verify Secure Boot Is Active?
Two places to confirm. In the BIOS, go to Boot > Secure Boot and check that the field next to Secure Boot shows Active. In Windows, open msinfo32 and look for Secure Boot State: On. Both must agree for the feature to be fully operational.
A system showing Secure Boot State: Off in Windows despite the BIOS looking correct usually means the factory keys are missing or CSM Support is still enabled somewhere. Run through the table below to isolate the exact cause.
| Mistake | Why It Blocks Secure Boot | The Fix |
|---|---|---|
| CSM Support is still enabled | Secure Boot stays hidden or grayed out while CSM is on | Go to Boot > CSM Support and set it to Disabled |
| System disk uses MBR instead of GPT | Secure Boot requires GPT partitioning | Convert with MBR2GPT.exe or clean-install Windows in UEFI mode |
| Windows was installed in Legacy mode | Legacy boot mode bypasses UEFI Secure Boot entirely | Check msinfo32 > BIOS Mode; reinstall in UEFI if needed |
| Factory keys were not installed | Secure Boot shows Enabled but stays Not Active | Set Secure Boot Mode to Custom, then run Restore Factory Keys |
| Changes were made but not saved | BIOS settings are volatile until saved | Press F10 and confirm before rebooting |
| AMD CPU fTPM is disabled | Required for TPM 2.0 alongside Secure Boot | Enable Settings > AMD CPU fTPM in Advanced Mode |
| Secure Boot is under the wrong BIOS tab | Some BIOS versions place it under Security instead of Boot | Check Security > Secure Boot if the Boot tab lacks the option |
Final Checklist — Getting Secure Boot Right On Gigabyte
Run through this sequence one last time to confirm everything is set:
- Windows msinfo32 shows BIOS Mode: UEFI and the disk is GPT.
- BIOS CSM Support is Disabled.
- Secure Boot Mode is set to Custom (or Standard after keys are installed).
- Restore Factory Keys has been executed at least once.
- The BIOS Secure Boot field displays Active.
- msinfo32 shows Secure Boot State: On.
If all six check, Secure Boot is working. If step five or six still fails, revisit the table above—one of those seven mistakes is almost certainly the culprit.
References & Sources
- GIGABYTE. “How to Enable Secure Boot and TPM 2.0 on GIGABYTE AM4 300 Series / AM4 / sTRX4 Motherboard” Official FAQ covering the full BIOS setup, prerequisite checks, and key management process.