Enabling Secure Boot on a Gigabyte B450 requires disabling CSM Support in the BIOS, then restoring the factory Secure Boot keys under Secure Boot Mode > Custom.
Windows 11 makes it mandatory, but many Gigabyte B450 owners find the Secure Boot option stubbornly locked or inactive. The trick isn’t brute force — it’s a specific two-pass sequence through the BIOS that turns off the legacy Compatibility Support Module first. Follow the exact order below, and you’ll toggle Secure Boot on without the boot loops or grayed-out menus that snag most builds.
What You Need Before Starting
Secure Boot won’t activate unless your system is already set up for it. Gigabyte’s official FAQ confirms that UEFI mode and a GPT hard drive are required before the option ever appears. Run these checks first, and the BIOS steps below will go exactly as written.
| Prerequisite | Where to Check | Why It Matters |
|---|---|---|
| UEFI Boot Mode | Open msinfo32 in Windows and look for BIOS Mode | Secure Boot only works in UEFI — Legacy/CSM mode blocks it entirely. |
| GPT Partition Table | Right-click the Start button, choose Disk Management, right-click your boot disk, and select Properties > Volumes | A Master Boot Record (MBR) disk fails the Secure Boot requirement. Convert it with mbr2gpt.exe before proceeding. |
| AMD CPU fTPM 2.0 | BIOS Settings > AMD CPU fTPM | fTPM must be enabled first — Gigabyte’s own support notes say it’s a prerequisite. |
| Updated BIOS | Check the BIOS version in System Information on the main BIOS screen | An outdated BIOS can hide settings or cause saves to fail. Grab the latest from Gigabyte’s B450 support page if you’re more than one revision behind. |
Enabling Secure Boot On Gigabyte B450: The Official Step Order
Gigabyte’s AM4 boards follow a rigid procedural sequence — skip a save or reverse the order, and the Secure Boot option stays gray. Do the steps in this exact pass structure:
Pass 1 — Enable fTPM and Disable CSM
- Restart your PC and press the Delete key repeatedly as the manufacturer logo appears. This loads the Gigabyte BIOS.
- Press F2 to switch from Easy Mode to Advanced Mode if the simplified view shows up.
- Navigate to Settings > AMD CPU fTPM and set it to Enabled. A missing fTPM option usually means the BIOS needs an update.
- Press F10, confirm Save & Exit, and let the machine reboot fully back into Windows. Wait a moment, then restart and re-enter the BIOS.
- In Advanced Mode, go to the Boot tab. Find CSM Support and set it to Disabled. A warning will pop up about boot order — that’s normal.
- Press F10 again to save and exit. Let the reboot complete, then enter the BIOS a third time. This two-save pattern is crucial — disabling CSM changes the UEFI boot table, and a single save round sometimes fails to commit the change internally.
Pass 2 — Restore The Secure Boot Keys
- With CSM disabled, navigate to Boot > Secure Boot. The option is no longer grayed out.
- Set Secure Boot Mode to Custom. A new sub-menu appears below it.
- Choose Restore Factory Keys. The BIOS will ask for confirmation — select Install Factory Defaults.
- When prompted again with Reset Without Saving, confirm. This does not clear the settings you just made; it applies the default Secure Boot key database.
- Exit the BIOS and let the PC boot into Windows. Secure Boot is now active.
How To Verify Secure Boot Is Actually Working
A setting in the BIOS doesn’t always mean the OS recognizes it. Open the Start menu, type System Information (or msinfo32), and press Enter. Look for two specific fields:
- BIOS Mode: Must read UEFI.
- Secure Boot State: Must read On.
If you see Off or an empty field, the factory keys didn’t take — jump to the troubleshooting section below. You can also double-check in the BIOS itself: under Boot > Secure Boot, the line below the Enabled toggle should show Active.
Why Does Secure Boot Show “Enabled” But Not “Active”?
This is the most common hang-up on Gigabyte B450 boards. The toggle says Enabled, and Windows still reports Secure Boot as Off. The problem is almost always a missing or corrupted key database. When CSM was running, the UEFI firmware used a legacy boot path, and flipping CSM off clears the Secure Boot keys automatically — but it doesn’t regenerate them unless you manually trigger the restore.
| Problem | Likely Cause | The Fix |
|---|---|---|
| Secure Boot setting is grayed out in BIOS | CSM Support is still enabled | Go to Boot > CSM Support and set it to Disabled, then save and reboot. |
| Shows “Enabled” but not “Active” | Factory Secure Boot keys were not restored | Set Secure Boot Mode to Custom, choose Restore Factory Keys, and confirm both prompts. |
| Boot failure or black screen after enabling Secure Boot | The boot drive is MBR, or Windows was installed in Legacy mode | Boot from a Windows recovery drive and run mbr2gpt.exe /convert to switch the disk to GPT without data loss. |
| fTPM option missing from BIOS | Outdated BIOS firmware or an older CPU that lacks built-in fTPM | Update the BIOS to the latest version on Gigabyte’s B450 support page. |
Booting Into A Brick Wall After A Mistake
If the system refuses to post or the display stays black after changing Secure Boot settings, don’t panic. Pop out the CMOS battery on the motherboard for about 60 seconds, put it back, and boot up. This resets the BIOS to factory defaults and clears any conflicting Secure Boot keys. You’ll lose your BIOS customizations (RAM timings, fan curves), but the machine will boot again so you can start the process from scratch.
The Fastest Path To An Active Secure Boot
If you’re already comfortable in the BIOS, here is the condensed winner’s route — every step matters, and the order is non-negotiable:
- Enter BIOS (Delete key) -> Settings > AMD CPU fTPM > Enabled. Save & Exit. Reboot.
- Enter BIOS again -> Boot > CSM Support > Disabled. Save & Exit. Reboot.
- Enter BIOS one last time -> Boot > Secure Boot. Change Secure Boot Mode to Custom.
- Select Restore Factory Keys, confirm Install Factory Defaults, then Reset Without Saving.
- Exit. Windows will show Secure Boot State: On under msinfo32 and the BIOS will read Active.
That sequence follows the same steps Gigabyte’s own support team publishes for AM4 boards, and it’s the only sequence that reliably gets Secure Boot to an active, verified state on the B450 platform.
References & Sources
- Gigabyte. “How to Enable Secure Boot for GIGABYTE AM4 300-Series MB?” Official support FAQ detailing the CSM-to-Secure Boot process and key restoration steps.
- NZXT Support. “How to enable Secure Boot on your Gaming PC (Gigabyte).” Walkthrough covering Trusted Computing settings and verification steps.