Enabling Secure Boot on an MSI Click BIOS 5 board means switching to UEFI mode, enabling Secure Boot under Security, and confirming the disk is GPT.
Secure Boot checks that only signed, trusted code runs during startup — Windows 11 requires it, and many games and security tools benefit from it. On MSI motherboards with Click BIOS 5, the whole process takes about ten minutes once you know the exact menu path and the one setting people miss most often. This guide covers every step, the prerequisite disk check, and the factory-key fix for the PK enrollment error.
What Do You Need Before Starting?
Two things must be true before Secure Boot will enable: the motherboard must be in UEFI mode instead of Legacy or CSM, and the Windows disk must use the GPT partition scheme instead of MBR. Check both from inside Windows before touching the BIOS.
- Press Windows Key + R, type msinfo32, and press Enter.
- Find the row labeled BIOS Mode — it should read UEFI. If it says Legacy, the board is in CSM mode and needs to be switched.
- Find the row labeled Secure Boot State — if it already says On, nothing else needs doing. If it says Off, proceed with the steps below.
- Check the disk type by opening a Command Prompt and running diskpart, then list disk. An asterisk under the GPT column means the disk is GPT. If there is no asterisk, the disk is MBR and must be converted first.
MSI recommends using Windows’s built-in MBR2GPT tool for the conversion, which preserves existing data and avoids a clean reinstall. Run mbr2gpt /convert from an elevated Command Prompt after verifying compatibility with mbr2gpt /validate.
Step One: Enter The BIOS And Switch To Advanced Mode
Restart the PC and press Delete or F2 repeatedly during the initial logo screen. On most MSI Click BIOS 5 boards this lands you in EZ Mode, which shows basic system info but hides the main settings menus. Press F7 to switch to Advanced Mode before making any changes.
Step Two: Disable CSM And Set The Boot Mode To UEFI
Navigate to Settings → Advanced → Windows OS Configuration. Set Boot Mode Select to UEFI. If a CSM (Compatibility Support Module) toggle appears in the same menu, set it to Disabled. Secure Boot will stay grayed out until the system is in pure UEFI mode, so this step is mandatory.
Enabling Secure Boot On MSI Click BIOS 5: The Exact Settings Sequence
Go to Settings → Security → Secure Boot. Set Secure Boot to Enabled. On some BIOS versions the option appears as a toggle; on others it is a dropdown with Enabled and Disabled choices.
If the system immediately reports “Repeat operation after enrolling Platform Key(PK),” switch Secure Boot Mode from Standard to Custom, enter Key Management, choose Enroll all Factory Default Keys, and confirm the prompt. Then return to the Secure Boot menu and enable it normally. MSI’s official guidance for AM4 boards confirms this factory-key load resolves the PK error.
Step Four: Enable TPM / fTPM Under Trusted Computing
Navigate to Settings → Security → Trusted Computing. Set Security Device Support to Enable. This activates the onboard TPM 2.0 module (or fTPM on AMD boards), which is separate from Secure Boot but commonly required together — Windows 11 health checks look for both. MSI’s blog on AM4 motherboards lists this as part of the standard enable sequence.
Step Five: Save And Reboot
Press F10 or navigate to Save & Exit → Save Changes and Reboot. The system will restart. If you changed from CSM to UEFI, the first boot may take slightly longer as the firmware reinitializes.
How To Verify Secure Boot Is Working
Once Windows loads, press Windows Key + R, type msinfo32, and check the row labeled Secure Boot State. It should read On. The BIOS Mode row should still show UEFI. These two confirm the setup took effect.
If Secure Boot State still shows Off, reboot back into the BIOS and double-check that CSM is disabled and that Secure Boot reads Enabled. A second pass through the Security menu usually catches the missed toggle.
| Setting | Menu Location | Required Value |
|---|---|---|
| Boot Mode Select | Settings → Advanced → Windows OS Configuration | UEFI |
| CSM Support | Settings → Advanced → Windows OS Configuration | Disabled |
| Secure Boot | Settings → Security → Secure Boot | Enabled |
| Secure Boot Mode | Settings → Security → Secure Boot | Standard (or Custom for key enrollment) |
| Security Device Support | Settings → Security → Trusted Computing | Enable |
| BIOS Mode (verify in Windows) | msinfo32 | UEFI |
| Secure Boot State (verify in Windows) | msinfo32 | On |
The MSI blog on enabling Secure Boot and TPM 2.0 provides the same sequence specifically for AM4 boards, and the steps apply to most Click BIOS 5 motherboards including MAG, MPG, MEG, and PRO series.
What If You See The PK Enrollment Error?
The “Repeat operation after enrolling Platform Key(PK)” message means the BIOS has no trusted platform keys loaded. Set Secure Boot Mode to Custom, open Key Management, select Enroll all Factory Default Keys, confirm the prompt, and reboot. Then re-enter the BIOS and enable Secure Boot normally. MSI warns that customizing key management settings beyond this point can break the configuration, so stick with the factory-default path unless you have a specific reason to change it.
Common Mistakes That Block Secure Boot
- Leaving CSM enabled. Secure Boot will not activate while CSM is on. Double-check the Windows OS Configuration menu.
- An MBR disk. Secure Boot requires GPT. Convert the disk with MBR2GPT before attempting the BIOS change, or the system may fail to boot after switching to UEFI.
- Skipping the TPM/fTPM step. Windows 11’s system check looks for both Secure Boot and TPM 2.0. They are independent settings, so enabling one does not enable the other.
- Not rebooting after changing boot mode. Switching from CSM to UEFI may require one intermediate restart before the Secure Boot option becomes available. If it is grayed out, save and reboot, then come back.
- Using EZ Mode for the changes. EZ Mode does not expose the Security menu. Always press F7 for Advanced Mode first.
| Error Message | Most Likely Cause | Fix |
|---|---|---|
| Secure Boot option is grayed out | CSM still enabled or boot mode not set to UEFI | Disable CSM and set Boot Mode Select to UEFI |
| Repeat operation after enrolling Platform Key(PK) | No trusted keys in the firmware | Load factory default keys from the Key Management menu |
| System won’t boot after enabling Secure Boot | OS disk is MBR instead of GPT | Boot from recovery media and convert the disk with MBR2GPT |
| Secure Boot State shows Off in Windows | TPM / fTPM not enabled or CSM still on | Enable Security Device Support under Trusted Computing |
| Cannot find Secure Boot in the BIOS | System is in EZ Mode | Press F7 to enter Advanced Mode |
Quick Setup Checklist
Run through these items in order the next time you are in the BIOS. Each one is necessary for Secure Boot to work.
- Press F7 to enter Advanced Mode.
- Set Boot Mode Select to UEFI and disable CSM.
- Navigate to Security → Secure Boot and set it to Enabled. Load factory default keys if the PK enrollment error appears.
- Navigate to Security → Trusted Computing and set Security Device Support to Enable.
- Press F10 to save and reboot.
- Run msinfo32 to confirm Secure Boot State shows On and BIOS Mode shows UEFI.
References & Sources
- MSI. “How to enable Secure Boot and TPM 2.0 on MSI AM4 motherboards.” Official MSI blog with the complete step sequence for AM4 boards, including disk checks and the factory-key fix.