Enrolling a Platform Key (PK) in your BIOS/UEFI is the firmware step that activates Secure Boot and fixes the “Repeat operation after enrolling PK” error — a process that takes about two minutes once you know the menus.
Need to know how to enroll platform key in BIOS? A Platform Key is the root trust anchor for Secure Boot. Without a PK enrolled, your firmware stays in Setup Mode, Secure Boot cannot turn on, and Windows 11 may refuse to install or boot. This guide covers the exact steps for popular vendors, what to do when you see the PK error, and how to verify everything worked.
What Is A Platform Key And Why Enroll It?
A Platform Key (PK) is the top-level certificate in the Secure Boot key hierarchy. It is used to sign the Key Exchange Key (KEK) and all other Secure Boot databases. When no PK exists, the system is in Setup Mode — Secure Boot stays disabled or shows “not ready.” Enrolling a PK moves the firmware into User Mode, which locks Secure Boot and allows the operating system to verify boot loaders.
The most common symptom that forces enrollment is the Secure Boot error “Repeat operation after enrolling Platform Key(PK)” on MSI-based gaming PCs. The same issue appears as “Secure Boot can’t be enabled” on many motherboards. The fix is always the same: restore or load a factory PK, or enroll one from a file.
Enrolling A Platform Key In BIOS: Steps That Work On Any System
Regardless of your motherboard brand, the core workflow is consistent. You enter the UEFI firmware interface, navigate to Secure Boot or Key Management menus, and choose an enroll option. The exact menu labels vary, but the logic does not.
- Restart your PC and press the firmware entry key (often Delete, F2, or Esc) during boot. Check your motherboard manual if uncertain.
- Switch to Advanced Mode or Detailed Setup if your BIOS has a simplified view (usually F7 or F2).
- Locate the Secure Boot submenu under Security or Boot tabs.
- If Secure Boot cannot be enabled because no PK exists, change the Secure Boot Mode to Custom to reveal key management options.
- Select Enroll Platform Key (PK) or Restore Factory Keys. Confirm any prompts — the firmware will load the default Microsoft PK or a vendor‑supplied key.
- If you have a specific key file (e.g., a
.dercertificate), choose Enroll Platform Key (PK) Using File and browse to the file. - Save changes and exit. The system reboots; Secure Boot should now be active.
Vendor‑Specific Procedures For Enrolling The Platform Key
Every OEM places the PK enrollment option in a slightly different spot. The table below covers the most common motherboards and pre‑built systems.
| Vendor / System | Menu Path To Enroll PK | Key File Needed? |
|---|---|---|
| Generic UEFI (most PCs) | Boot tab → Secure Boot → Key Management → Enroll Platform Key or Restore Factory Keys | Not needed (built‑in default) |
| HPE ProLiant (servers) | Enroll Platform Key (PK) → Enroll Platform Key (PK) Using File → select TestPK1.der from the file system |
Yes (.der file) |
| MSI motherboards (gaming PCs) | Settings → Security → Secure Boot → set Secure Boot Mode to Custom → open Key Management → choose Enroll all Factory Default keys | Not needed (factory default) |
| Gigabyte motherboards | Boot tab → Secure Boot → enable Secure Boot → set Secure Boot Mode to Custom → select Restore Factory Keys / Install factory defaults | Not needed (factory default) |
| ASRock motherboards | Security → Secure Boot → Clear Platform Key (if enrolled) then re‑enable Secure Boot to force re‑enrollment, or use Restore Secure Boot Keys | Not needed (built‑in) |
| Reset to factory keys (any) | Same menu as above, select Reset to Setup Mode then Install Default Secure Boot Keys | Not needed |
| Enroll from file (HPE) | Enroll Platform Key (PK) Using File → browse to .der or .cer certificate file |
Yes (file must be present on FAT32 drive) |
Common Mistakes When Enrolling A Platform Key
Even when you know the menus, small missteps can keep Secure Boot off. Avoid these:
- Forgetting to switch to Advanced Mode. Many BIOS simplified views hide the Key Management options. Press F2 or F7 to switch.
- Not rebooting after enrolling. After you save changes, the PK is written, but some systems require a full power‑off and reboot before Secure Boot becomes active. NZXT’s guide explicitly says to restart and re‑enter UEFI.
- Leaving CSM enabled. Compatibility Support Module (CSM) overrides UEFI boot and blocks Secure Boot from turning on. Set Boot Mode to UEFI only, not Legacy.
- Choosing the wrong Secure Boot Mode. If you try to enable Secure Boot while it is set to Standard mode without a PK, the option stays gray. Switch to Custom first, enroll keys, then change back to Standard after.
- Assuming a file must be used. For most desktops, selecting Enroll all Factory Default keys or Restore Factory Keys loads a Microsoft‑approved PK automatically — no file needed.
Verify Secure Boot Is Active After Enrolling PK
Once you have enrolled the Platform Key and saved the firmware settings, boot into Windows and confirm the change stuck.
- Open System Information (press Win + R, type
msinfo32, press Enter). - Look for the line Secure Boot State. It must show On.
- Optional: run
Confirm-SecureBootUEFIin PowerShell as administrator to verify the PK is present.
If Secure Boot State still says Off, re‑enter the firmware and double‑check that the PK enrollment was saved. Some motherboards silently revert to Setup Mode if the boot media has a legacy MBR partition table — converting to GPT may be required.
Quick Reference: Error Messages And Fixes
The table below pairs the most frequent Secure Boot errors with the exact step to resolve them.
| Error / Symptom | What It Means | How To Fix |
|---|---|---|
| “Repeat operation after enrolling Platform Key(PK)” | Secure Boot tried to enable but no PK was present | Enroll factory default keys or a custom PK file |
| “Secure Boot cannot be enabled” (grayed out) | Firmware is in Standard mode without a PK | Switch Secure Boot Mode to Custom, then enroll PK |
| “Secure Boot state – Off” after enrollment | PK not saved, or CSM still enabled | Disable CSM, re‑enroll PK, save and reboot |
| “Platform Key is not enrolled” in msinfo32 | Enrollment did not complete | Repeat steps: enter UEFI, go to Key Management, enroll PK, save, reboot |
| Windows 11 setup says “This PC must support Secure Boot” | PK not enrolled or Secure Boot disabled | Use the generic steps above to enroll PK and enable Secure Boot |
A detailed HPE guide on enrolling Platform Keys from a file provides exact steps for server environments, but the core concept applies to any UEFI system: without a PK, Secure Boot stays off.
References & Sources
- HPE. “UEFI Secure Boot – Enroll Platform Key (PK).” Official procedure for loading a PK from a .der file.
- NZXT. “How to enable Secure Boot on your Gaming PC (MSI).” Describes the PK error and factory‑key enrollment for MSI boards.
- Gigabyte. “Gigabyte BIOS Secure Boot Enable.” Shows the Restore Factory Keys path on Gigabyte motherboards.