Enabling UEFI Secure Boot on a Gigabyte motherboard requires disabling CSM Support, turning on Secure Boot in the BIOS, and restoring the factory keys before the setting becomes active.
Most Gigabyte boards ship with Secure Boot off and the BIOS option hidden behind a single compatibility toggle. Disabling CSM Support is the first step in how to enable UEFI Secure Boot on Gigabyte motherboards, followed by enabling Secure Boot itself and loading the factory keys so it registers as active. Without that last step, the system shows Secure Boot as enabled but never actually enforces it.
What You Need Before Enabling Secure Boot
Secure Boot requires specific firmware and disk conditions. The table below lists every prerequisite. If any one is missing, the setting either stays hidden or fails to engage.
| Prerequisite | What To Check | Where To Confirm |
|---|---|---|
| UEFI Mode Active | BIOS must be in UEFI mode, not Legacy/CSM | BIOS → Advanced Mode → Boot → Boot Mode Select |
| GPT Disk Layout | Drive must use GPT, not MBR | Windows → Disk Management → right-click disk → Properties → Volumes tab |
| CSM Support Disabled | Compatibility Support Module must be turned off | BIOS → Advanced Mode → Boot → CSM Support → Disabled |
| TPM 2.0 Enabled | fTPM for AMD or PTT for Intel must be on | BIOS → Settings → AMD CPU fTPM (AMD) or Trusted Computing (Intel) |
| Factory Keys Installed | Default Secure Boot keys must be loaded | BIOS → Secure Boot menu → Restore Factory Keys |
| Supported OS | Windows 10/11 or any UEFI-aware OS | System Information → OS Architecture |
| Latest BIOS Version | Recent firmware avoids bugs with Secure Boot | BIOS → System Information → BIOS Version |
Enabling Secure Boot On Gigabyte Boards: The Step Order That Works
Gigabyte motherboards use a consistent BIOS layout across most modern models. The steps below follow the official sequence from Gigabyte’s own support documentation.
Step 1: Enter The BIOS And Switch To Advanced Mode
Restart the PC and press Delete repeatedly during boot. If the system lands on Gigabyte’s Easy Mode screen, press F2 to switch to Advanced Mode where all settings are visible.
Step 2: Disable CSM Support
Navigate to Advanced Mode > Boot > CSM Support and set it to Disabled. This step is mandatory — Secure Boot does not appear in the BIOS menu while CSM is enabled. On some boards the whole Secure Boot section stays hidden until CSM is turned off.
Step 3: Turn On Secure Boot
Still under the Boot tab, locate Secure Boot and set it to Enabled. If the option is grayed out, go back and confirm CSM Support is disabled.
Step 4: Restore Factory Keys
Set Secure Boot Mode to Custom, then open Key Management or Expert Key Management and select Restore Factory Keys. Confirm the prompt and wait for the system to load the default certificates. After this step, change Secure Boot Mode back to Standard if the option appears.
Step 5: Save, Exit, And Re-enter The BIOS
Press F10 to save and exit. After the reboot, press Delete again to re-enter the BIOS and verify the field below Secure Boot shows Active. If it still reads Not Active, repeat the key-restore step and reboot once more.
Why Does Secure Boot Show As Not Active?
This is the single most common frustration. The BIOS says Secure Boot is enabled, but the status line underneath reads Not Active. The cause is almost always missing factory keys. Enabling Secure Boot flips the toggle, but without the default certificate database loaded, the system never enters “User Mode” — it stays in “Setup Mode” where Secure Boot has no keys to enforce. Restoring factory keys is what pushes it over the edge into active enforcement.
On AMD systems, you must also confirm AMD CPU fTPM is enabled under Settings > AMD CPU fTPM before disabling CSM. Intel boards need Trusted Computing > Security Device Support set to Enabled. Without TPM active, the key-restore process may not complete correctly.
How Do You Verify Secure Boot Is On?
There are two reliable ways to confirm, one inside the firmware and one inside Windows.
- In the BIOS: Re-enter the BIOS and look under the Boot or Security tab. The line below Secure Boot must read Active — not just Enabled.
- In Windows: Press Win + R, type msinfo32, and press Enter. Find the line labeled Secure Boot State. It should read On. If it reads Off, the BIOS changes did not take effect or the system booted in CSM mode.
If Windows still shows Secure Boot off after the BIOS reports it active, the disk may be using an MBR partition table. Convert it to GPT using the mbr2gpt tool in Windows before attempting the BIOS again.
Troubleshooting Common Secure Boot Problems
Even with the correct steps, certain mistakes block Secure Boot from working the first time. The table below covers the most frequent issues and how to resolve each one.
| Problem | Likely Cause | Fix |
|---|---|---|
| Secure Boot option missing from BIOS | CSM Support is still enabled | Disable CSM Support under Boot, then save and re-enter BIOS |
| Secure Boot enabled but not active | Factory keys not loaded | Restore Factory Keys in Key Management, then reboot |
| PC won’t boot after saving changes | Disk is MBR or OS doesn’t support UEFI | Reset BIOS to defaults via Load UEFI Defaults, convert disk to GPT |
| Windows still shows Secure Boot off | Booted in CSM or legacy mode | Confirm CSM is disabled and Windows install is on a GPT disk |
| Keys option is grayed out | Secure Boot Mode set to Standard instead of Custom | Change Secure Boot Mode to Custom to unlock Key Management |
| AMD fTPM not visible | Older BIOS version on AMD board | Update BIOS to latest version from Gigabyte’s support page |
One additional tip: changing multiple security settings at once can leave the board in an inconsistent state. If you run into trouble, reset the BIOS to factory defaults using Load UEFI Defaults, apply the changes one at a time, and reboot between each major toggle.
Gigabyte’s official support page covers the complete Secure Boot setup and key-recovery process in detail. Gigabyte’s Secure Boot FAQ 4395 walks through the exact BIOS paths for both AMD and Intel boards.
Three BIOS Changes That Activate Secure Boot
- Disable CSM Support — this reveals the Secure Boot menu and forces UEFI-only booting.
- Enable Secure Boot — flips the feature on, but alone it leaves the system in Setup Mode.
- Restore Factory Keys — loads the certificate database that moves Secure Boot from Setup Mode to User Mode and changes the status from Not Active to Active.
Run msinfo32 in Windows after the final reboot. A Secure Boot State of “On” confirms the process finished correctly. If the value is “Off,” the boot drive likely still uses MBR or the system booted with a CSM fallback.
References & Sources
- Gigabyte. “How to enable Secure Boot on a Gigabyte Motherboard.” Official consumer FAQ covering the complete BIOS procedure, CSM disable requirement, and factory key restoration for AMD and Intel boards.
