Enable Secure Boot on ASRock: disable CSM in Boot, enable Secure Boot in Security, and install default keys if needed.
To enable Secure Boot on an ASRock motherboard, you must first switch to UEFI-only mode by turning off CSM (Compatibility Support Module), then activate Secure Boot in the Security tab. If the option stays grayed out or shows “Not Active,” you’ll need to install the default Secure Boot keys. The whole process takes about five minutes and works on most ASRock boards running the latest UEFI BIOS.
Why Secure Boot Requires CSM Disabled On ASRock
CSM emulates legacy BIOS compatibility, which conflicts with Secure Boot’s UEFI-only requirements. When CSM is enabled, the firmware allows non‑UEFI boot devices, and Secure Boot cannot be turned on. Disabling CSM forces the motherboard to boot only in pure UEFI mode — the foundation Secure Boot needs. ASRock’s own FAQ and support guides list “CSM disabled” as the first condition for enabling Secure Boot.
If your operating system was originally installed in legacy mode (MBR disk), switching to UEFI may prevent the system from booting. In that case you’ll need to convert the disk to GPT or reinstall Windows in UEFI mode before proceeding.
Step‑By‑Step: Enable Secure Boot On An ASRock Motherboard
These steps apply to ASRock Z490, B550, X570, and most other models running the stock UEFI BIOS. Enter the firmware setup, then follow the order below.
- Enter the UEFI BIOS. Restart your PC and press F2 or Delete repeatedly during the ASRock splash screen. On some boards Delete is the default; if unsure, tap both keys. You should land in the UEFI setup utility.
- Switch to Advanced Mode (if not already there). Usually the F6 key toggles between Easy and Advanced modes, or you can click the Advanced Mode button at the top.
- Disable CSM. Go to the Boot tab and locate CSM (Compatibility Support Module). Set it to Disabled. This may require saving a reboot prompt later, but don’t leave the setup yet.
- Enable Secure Boot. Navigate to the Security tab and scroll to Secure Boot. Set it to Enabled. If the option is grayed out, first set Secure Boot Mode to Custom, then open Key Management and select Install default Secure Boot keys. Confirm when prompted.
- Save and exit. Press F10 to save changes and restart. After the PC reboots, enter the BIOS again (press F2 or Delete during POST) to check the Secure Boot status. It should now read Active under the Security tab.
For a detailed walkthrough of the exact UEFI screens, NZXT’s ASRock Secure Boot guide covers the menu names and key‑management steps.
Table: Secure Boot Settings Overview On ASRock
| Setting | Required Value | Location in BIOS |
|---|---|---|
| CSM (Compatibility Support Module) | Disabled | Boot tab |
| Secure Boot | Enabled | Security tab |
| Secure Boot Mode | Standard (or Custom if keys need installing) | Security > Secure Boot |
| Default Secure Boot Keys | Installed (if mode was Custom) | Key Management |
| UEFI boot mode | Active (CSM off implies UEFI only) | Boot > Boot Mode |
| Latest UEFI BIOS | Recommended before changing settings | ASRock support page |
| OS disk format | GPT (not MBR) | Windows Disk Management |
What If Secure Boot Shows “Not Active” After Enabling?
Sometimes the status remains Not Active even after enabling Secure Boot. This happens when the firmware hasn’t picked up the change yet, or the default Secure Boot keys are missing. Here’s how to fix it:
- Reboot and re‑enter the BIOS. Save your changes, restart, then immediately press F2 / Delete again. The status often switches to Active after a full boot cycle.
- Install default keys manually. If it still shows Not Active, go to Security > Secure Boot, set Secure Boot Mode to Custom, open Key Management, and select Install default Secure Boot keys. Confirm, save, and reboot.
- Check your BIOS version. Outdated firmware can cause Secure Boot to fail to activate. Download the latest UEFI BIOS from ASRock’s support page for your exact motherboard model and update before trying again.
How To Verify Secure Boot Is Working In Windows
Once the firmware shows Active, you can confirm it inside Windows. Press Windows + R, type msinfo32, and press Enter. In the System Information window, look for Secure Boot State — it should read On. The line BIOS Mode will show UEFI (if it says Legacy, the disk wasn’t converted).
If Secure Boot State reads Off despite the BIOS saying Active, check that Windows was installed in UEFI mode and that no third‑party boot tools are interfering.
Common Mistakes And How To Avoid Them
- Leaving CSM enabled. Secure Boot will not turn on until CSM is disabled. This is the single most common oversight.
- Expecting Secure Boot to activate immediately. Always reboot and re‑enter the BIOS to confirm the status changes from “Not Active” to “Active.”
- Missing Secure Boot keys. If the option is grayed out or stays inactive, switch to Custom mode and install the default keys.
- Installing Windows in legacy mode first. An MBR disk and legacy install will break when CSM is turned off. Convert the disk to GPT or reinstall Windows in UEFI mode.
- Skipping the BIOS update. ASRock recommends updating to the latest UEFI BIOS before touching Secure Boot settings.
Troubleshooting Table: Quick Fixes For Common Issues
| Issue | Likely Cause | Solution |
|---|---|---|
| Secure Boot option is grayed out | CSM is still enabled, or keys aren’t installed | Disable CSM; if still grayed, set Secure Boot Mode to Custom and install default keys |
| Secure Boot shows “Not Active” after enabling | Firmware hasn’t updated status, or keys are missing | Reboot, re‑enter BIOS; if still Not Active, install default keys via Key Management |
| Windows won’t boot after disabling CSM | OS installed in legacy/MBR mode | Convert disk to GPT (use MBR2GPT tool) or reinstall Windows in UEFI mode |
| Secure Boot State in Windows shows Off | BIOS setting didn’t stick, or boot entry is wrong | Double‑check BIOS status is Active; reset Secure Boot settings and re‑enable |
| Cannot find Secure Boot in Security tab | BIOS version is too old | Update to the latest UEFI BIOS from ASRock’s support page for your model |
Final Checklist: Enable Secure Boot On ASRock
Before you close the BIOS, run through this quick check:
- CSM is disabled under the Boot tab.
- Secure Boot is set to Enabled in the Security tab.
- If needed, Secure Boot Mode is Custom and default keys are installed.
- BIOS shows Secure Boot status as Active after a reboot.
- Windows System Information reports Secure Boot State = On.
Once these are all green, your ASRock motherboard is running with Secure Boot fully active, meeting Windows 11’s UEFI requirements and adding an extra layer of protection against low‑level bootkits.
References & Sources
- NZXT Support. “How to enable Secure Boot on your Gaming PC (ASRock).” Step‑by‑step UEFI instructions for ASRock motherboards.