Enabling Secure Boot on an MSI motherboard requires switching the BIOS to UEFI mode, converting your system disk to GPT, and activating the Secure Boot setting in the correct order.
Most MSI motherboards support Secure Boot from the factory, but the setting stays disabled until you switch the BIOS to UEFI mode and confirm your system disk uses GPT instead of MBR. The process for how to enable Secure Boot on an MSI motherboard follows a specific sequence, and a skipped step is what causes most of the failures that show up in support threads. This guide covers the prerequisites, the exact BIOS walkthrough, and the most common errors that stop Secure Boot from sticking.
What Do You Need Before Enabling Secure Boot?
Before touching the BIOS, you need three things in place: the system must be booting in UEFI mode (not CSM/Legacy), the Windows drive must use the GPT partition format, and the motherboard’s TPM module should be enabled for Secure Boot to function properly.
UEFI mode is the firmware standard that Secure Boot relies on. If your MSI board is still set to CSM/Legacy — a compatibility mode for older operating systems — the Secure Boot option will either be hidden or won’t stay enabled after a reboot. Most modern MSI boards default to UEFI, but boards originally set up for Windows 7 or older drives sometimes got left in Legacy mode.
The system disk partition style matters just as much. Secure Boot requires a GPT disk, not the older MBR format. If your Windows drive is still MBR, Microsoft provides a built-in conversion tool called mbr2gpt that can switch it without losing data.
TPM 2.0 is the final piece. On MSI AM4 boards, the setting lives under Settings → Security → Trusted Computing where you enable Security Device Support and set TPM Device Selection to fTPM 2.0.
Enabling Secure Boot On MSI — The Step Order That Works
The proven sequence for enabling Secure Boot on an MSI motherboard is to disable CSM/Legacy first, reboot, then enable Secure Boot itself and install the factory Platform Key — in that order, because Secure Boot may not appear as an option until after the system has booted once in pure UEFI mode.
- Enter the BIOS. Restart your PC and press the Delete key repeatedly during startup. Some MSI boards also respond to F2.
- Switch to Advanced Mode. Press F7. The BIOS starts in EZ Mode by default, and the Secure Boot options are only visible in the Advanced view.
- Turn off CSM/Legacy. Go to Settings → Advanced → Windows OS Configuration. Look for BIOS CSM/UEFI Mode, Boot Mode Select, or Windows 10 WHQL Support — the exact label varies by board generation. Set it to UEFI (or disable the CSM/Legacy option).
- Save and reboot. Press F10 and confirm. This reboot matters because on many MSI boards the Secure Boot toggle doesn’t become available until the system has restarted once with UEFI mode active.
- Enable Secure Boot. Go back to Settings → Advanced → Windows OS Configuration and find the Secure Boot option. Set it to Enabled.
- Install factory keys if prompted. If you see “Repeat operation after enrolling Platform Key (PK),” go to the Secure Boot sub-menu and select Enroll all Factory Default Keys or Restore Factory Keys. This installs the default certificates Secure Boot uses to verify boot loaders.
- Save and exit. Press F10 and select Yes.
When it works: boot into Windows, open the Start menu, type msinfo32, and check the Secure Boot State field — it should read On.
| Setting | Typical Location | Value To Select |
|---|---|---|
| CSM / Legacy Mode | Settings → Advanced → Windows OS Configuration | Disabled (UEFI only) |
| Secure Boot | Settings → Advanced → Windows OS Configuration | Enabled |
| TPM / fTPM | Settings → Security → Trusted Computing → Security Device Support | Enabled / fTPM 2.0 |
| Advanced Mode toggle | Press F7 at the main BIOS screen | Switches from EZ to Advanced |
| Save & Exit | Press F10 or use Exit menu | Saves all changes and reboots |
| Factory Key Restore | Secure Boot → Key Management | Enroll all Factory Default Keys |
| Boot Mode | Boot tab or Windows OS Configuration | UEFI (not Legacy + UEFI) |
Is Secure Boot Actually Enabled? How To Check
Windows provides two quick checks to confirm Secure Boot is active — the System Information screen and Disk Management — and both take less than ten seconds to verify. MSI’s official documentation for AM4 motherboards recommends using both tools to confirm the configuration took effect.
Press Windows + R, type msinfo32, and hit Enter. In the System Summary, find Secure Boot State. If it reads On, the feature is working. If it reads Off or Unsupported, a step was missed.
To confirm your disk is GPT, right-click the Start button and select Disk Management. Right-click the Disk 0 label on the left side (not the volume), choose Properties, go to the Volumes tab, and check the Partition style line. It should say GUID Partition Table (GPT).
Why Can’t I Enable Secure Boot On My MSI Motherboard?
Most Secure Boot failures on MSI boards come down to one of four issues: CSM is still active, the disk is MBR, the Platform Key was never installed, or the TPM module is disabled. The table below covers each scenario and the fix that resolves it.
| Problem | Most Likely Cause | Quick Fix |
|---|---|---|
| Secure Boot option is grayed out or missing | CSM/Legacy mode still enabled | Switch to UEFI under Windows OS Configuration, save, and reboot |
| “Repeat operation after enrolling Platform Key (PK)” | Factory keys haven’t been installed | Go to Key Management and enroll default factory keys |
| Windows won’t boot after enabling Secure Boot | System disk is MBR instead of GPT | Run mbr2gpt /convert /allowFullOS from an admin command prompt |
| Secure Boot State shows “Off” in Windows | Hardware not ready or keys missing | Check that TPM is on and key enrollment completed |
| TPM option isn’t visible in the BIOS | Security Device Support is disabled | Enable it under Settings → Security → Trusted Computing |
| Changes don’t save when you exit | F10 not pressed or CMOS battery issue | Use Save Changes and Reboot explicitly, then check the CMOS battery |
| “Secure Boot Unsupported” in msinfo32 | Board still booting in CSM mode | Confirm no CSM/Legacy options are active and reboot |
Final Checklist — What To Have Ready Before You Start
Run through this list once before opening the BIOS so you don’t hit a wall mid-process and have to start over.
- Check your BIOS mode. Open msinfo32 and look at BIOS Mode. If it says UEFI, you’re good. If it says Legacy, conversion is needed first.
- Convert the disk to GPT if required. From an admin command prompt, run
mbr2gpt /validate /allowFullOSfirst, thenmbr2gpt /convert /allowFullOS. Back up your data before converting. - Enable TPM 2.0. Under Settings → Security → Trusted Computing, turn on Security Device Support and set TPM Device Selection to fTPM 2.0.
- Follow the step order exactly. Disable CSM → reboot → enable Secure Boot → install factory keys → save and exit.
- Verify with msinfo32. Secure Boot State should read On after the final restart.
References & Sources
- MSI. “How to Enable Secure Boot and TPM 2.0 on MSI AM4 Motherboards.” Official MSI blog post confirming the BIOS sequence, disk conversion, and verification steps.