To enable Secure Boot on an AMD system, enter the UEFI/BIOS, disable CSM/Legacy, enable AMD fTPM, turn on Secure Boot, and load the factory keys, then verify in Windows with msinfo32.
The process for how to enable Secure Boot on AMD starts in the motherboard’s UEFI/BIOS, not inside Windows itself. The exact menu labels vary by manufacturer, but the core sequence is the same across Gigabyte, MSI, and most other boards. This guide walks through each step with vendor-specific examples and the common pitfalls that can block activation.
What Are The Prerequisites For Secure Boot On AMD?
Secure Boot only works when the system meets several low-level requirements. Without all of them, the option may be grayed out or the machine will fail to boot after enabling it.
- UEFI boot mode – the firmware must be set to UEFI, not Legacy or CSM.
- CSM disabled – Compatibility Support Module must be turned off.
- GPT disk format – the system drive must use GPT, not MBR.
- AMD fTPM enabled – some boards require the firmware Trusted Platform Module to be active before Secure Boot appears.
- Factory Secure Boot keys – on many motherboards, the default keys must be installed via the BIOS “Restore Factory Keys” option.
If any of these are missing, Secure Boot will either fail to enable or the system will refuse to boot afterward. Convert an MBR disk to GPT using Windows’ MBR2GPT tool before switching to UEFI, and confirm the disk style with Disk Management or diskpart.
Enabling Secure Boot On AMD: The Step Order That Works
The vendor‑specific menu names differ, but every motherboard follows the same logical flow: switch to UEFI, disable CSM, enable fTPM, enable Secure Boot, and then load the factory keys. The table below maps the exact labels for the two most common manufacturers.
| Setting | Gigabyte (AM4/sTRX4) | MSI (AM4) | Generic UEFI |
|---|---|---|---|
| Boot Mode | Boot → CSM Support → Disabled (forces UEFI) | Settings → Boot → Boot Mode Select → UEFI | Boot → UEFI/Legacy Boot → UEFI only |
| CSM State | Disabled via same option above | Settings → Advanced → Windows OS Configuration → CSM → Disabled | Look for CSM or Compatibility Support Module → Disabled |
| AMD fTPM | Settings → AMD CPU fTPM → Enabled | Settings → Security → Trusted Computing → Security Device Support → Enabled | Security → TPM or AMD fTPM → Enabled |
| Secure Boot | Boot → Secure Boot → Secure Boot Mode → Custom | Settings → Security → Secure Boot → Enabled | Boot or Security → Secure Boot → Enabled |
| Factory Keys | In Secure Boot sub‑menu, choose Restore Factory Keys → Yes | Not always required; keys are usually pre‑installed | Key Management → Install Default Secure Boot Keys |
| Disk Format | Must be GPT (check with diskpart or msinfo32) | GPT required; use MBR2GPT if needed | GPT required |
| Verification (Windows) | msinfo32 → Secure Boot State = On |
Same | Same |
Gigabyte specific sequence: enter BIOS (usually Delete), go to Advanced Mode → Settings → AMD CPU fTPM → Enabled. Save and reboot. Re‑enter BIOS, go to Boot → CSM Support → Disabled. Then Boot → Secure Boot → Secure Boot Mode → Custom. Choose Restore Factory Keys, confirm Yes to install default keys, and then confirm Yes to reset without saving. After the reboot, re‑enter BIOS and verify that Secure Boot/Enabled shows Active.
MSI specific sequence: first ensure the disk is GPT (Win+R → diskmgmt.msc → right‑click the disk → Properties → Volumes tab → Partition style). If MBR, run mbr2gpt.exe /convert /allowfullos from an admin command prompt. Reboot into BIOS, go to Settings → Boot → Boot Mode Select → UEFI. Then Settings → Security → Secure Boot → Enabled. Save and exit. In Windows, verify with msinfo32.
How Do I Verify Secure Boot Is Enabled?
The quickest way to confirm Secure Boot is active is through Windows’ System Information tool. Press Win+R, type msinfo32, and look for two lines:
- BIOS Mode – must read UEFI
- Secure Boot State – must read On
If Secure Boot State says “Off” or “Unsupported”, the BIOS settings haven’t stuck. Re‑check that CSM is disabled, the disk is GPT, and that the factory keys were installed. Activision’s Secure Boot and TPM support page covers vendor‑neutral steps and the same verification method.
Common Mistakes And How To Fix Them
Most activation failures come from one of five oversights. The table below shows each mistake, what happens, and the simple fix.
| Mistake | Consequence | Solution |
|---|---|---|
| CSM still enabled | Secure Boot option is grayed out or ignored | Disable CSM in BIOS and reboot before enabling Secure Boot |
| Boot mode set to Legacy | Secure Boot unavailable; system won’t boot after change | Switch to UEFI; convert MBR to GPT first if needed |
| MBR disk not converted | Windows fails to start after UEFI switch | Use MBR2GPT before changing BIOS mode |
| AMD fTPM disabled | Certain software (e.g., Call of Duty) still requires TPM | Enable AMD CPU fTPM in BIOS (usually under Settings/AMD CBS) |
| Factory keys not loaded | Secure Boot shows as “Enabled” but not “Active” | Enter BIOS Secure Boot menu and select Restore Factory Keys or Install Default Keys |
Step Sequence For Secure Boot On AMD
- Confirm the system disk is GPT; convert if MBR.
- Enter BIOS (Delete or F2 on boot).
- Set boot mode to UEFI and disable CSM.
- Enable AMD fTPM (TPM device).
- Enable Secure Boot.
- If present, load / restore the factory Secure Boot keys.
- Save and exit; reboot into Windows.
- Run
msinfo32to confirm BIOS Mode = UEFI and Secure Boot State = On.
References & Sources
- Activision Support. “Trusted Platform Module and Secure Boot” Vendor‑neutral guide covering prerequisites and Windows verification.