Enabling Secure Boot on an ASUS motherboard requires switching to UEFI mode, disabling CSM, and setting OS Type to Windows UEFI mode in BIOS.
Most ASUS motherboards ship with Secure Boot turned off, even though the hardware supports it — enabling it takes under two minutes once you know which BIOS settings to change. Knowing how to enable Secure Boot on an ASUS motherboard matters most when installing Windows 11, which requires the feature, or when tightening system security against boot-level attacks. The table below lists every value that needs to be right.
What Is Secure Boot And Why Does It Matter?
Secure Boot is a UEFI firmware feature that checks each piece of startup code against a database of trusted signatures before allowing it to run. If a bootloader, driver, or kernel file has been tampered with or comes from an untrusted source, the system halts the boot process before any damage occurs.
Windows 11 requires Secure Boot as part of its hardware security baseline. Anyone building a new PC or upgrading an older machine to Windows 11 needs it active. The feature also blocks rootkits and bootkits that try to load ahead of the operating system, making it one of the most effective low-level protections available on modern hardware.
What You Need Before Starting
Before opening the BIOS, confirm the motherboard is running in UEFI mode. If CSM (Compatibility Support Module) is currently enabled, Secure Boot will remain unavailable or grayed out until CSM is turned off. Some ASUS boards also require switching the Boot Mode from Legacy to UEFI under the Boot tab before Secure Boot options appear.
TPM 2.0 should also be active. On ASUS boards this is typically labeled Security Device Support or listed as AMD fTPM or Intel PTT. While ASUS’s own Secure Boot instructions do not list TPM as a requirement for the feature itself, Windows 11 needs it, and setting both during one BIOS session saves a reboot later.
| BIOS Setting | Required State | Notes |
|---|---|---|
| Boot Mode | UEFI | Legacy mode disables Secure Boot entirely |
| CSM / Launch CSM | Disabled | Must be off for Secure Boot to function |
| OS Type | Windows UEFI Mode | Default is Other OS, which keeps Secure Boot off |
| Secure Boot Control | Enabled | Some boards have this secondary toggle |
| Secure Boot State | User | User means keys are enrolled and active |
| Secure Boot Mode | Standard | Custom mode only needed for key management |
| Key Management | Install Default Keys | Resets to factory signatures if missing |
Enabling Secure Boot On An ASUS Motherboard: The Step Order That Works
This sequence follows the documented ASUS BIOS layout and works across most recent boards, including the ROG Maximus, TUF Gaming, and Prime series. If your BIOS uses a different skin, the setting names remain the same but may live under Security instead of Boot.
- Restart the PC and press Delete repeatedly as the ASUS logo appears. The BIOS utility opens.
- Press F7 to switch to Advanced Mode.
- Navigate to the Boot tab using the arrow keys.
- Open the Secure Boot menu.
- Set OS Type to Windows UEFI Mode. The default is Other OS, which keeps Secure Boot switched off.
- If a Secure Boot Control toggle is visible, set it to Enabled. Don’t confuse this toggle with the Secure Boot State readout — the state reflects whether keys are enrolled, while the control simply turns the feature on or off.
- Return to the Boot tab and set CSM (Compatibility Support Module) to Disabled.
- Go to Key Management and select Install Default Secure Boot Keys. This enrolls the factory key set.
- Press F10 to save and exit, then confirm the prompt.
ASUS’s official Secure Boot setup page documents this same procedure. After the system restarts, press Win+R, type msinfo32, and check the Secure Boot State line. On confirms the feature is active.
How Do You Verify Secure Boot Is Working?
Press Win+R, type msinfo32, and press Enter. In the System Summary panel, look for Secure Boot State. If it reads On, the BIOS changes took effect. If it reads Off, something in the BIOS is still blocking the feature — usually CSM is still active or the default keys were not enrolled.
You can also check the BIOS itself after a reboot. Re-enter the BIOS and visit the Secure Boot menu. The Secure Boot State field should show User. A value of Setup means no keys are installed, even if the toggle appears enabled.
Common Mistakes That Keep Secure Boot Disabled
Most failed attempts come from leaving CSM enabled, using Other OS instead of Windows UEFI Mode, or skipping the key enrollment step. The table below covers the issues that come up most often.
| Issue | Likely Cause | Fix |
|---|---|---|
| Secure Boot grayed out in BIOS | CSM is still enabled | Disable CSM under the Boot tab |
| Secure Boot State shows Setup | No keys are enrolled | Go to Key Management, select Install Default Keys |
| Windows won’t boot after enabling | OS installed in legacy MBR mode | Re-enable CSM, convert drive to GPT, try again |
| OS Type option is missing | Different BIOS skin | Look under the Security tab instead of Boot |
| Secure Boot On in BIOS but Off in Windows | Keys changed after save | Re-run Install Default Keys and F10 save again |
What Happens If Windows Won’t Boot After Enabling Secure Boot
If Windows was originally installed in legacy mode using an MBR drive, switching to UEFI with Secure Boot can prevent the system from starting. Re-enter the BIOS and re-enable CSM or switch OS Type back to Other OS to restore normal booting. From there, convert the drive from MBR to GPT using the built-in MBR2GPT tool in Windows before attempting the Secure Boot changes again.
Five Settings That Must Be Right Before You Exit
Run through this list before pressing F10 to save:
- BIOS mode is set to UEFI
- CSM is Disabled
- OS Type is Windows UEFI Mode
- Default Secure Boot keys are installed via Key Management
- Secure Boot State shows User, not Setup
Once all five conditions are met, save and exit. After the restart, verify with msinfo32 — the Secure Boot State line should read On.
References & Sources
- ASUS. “How to enable Secure Boot on your ASUS motherboard” Official ASUS support FAQ covering the complete BIOS setup process.