How to Enable Secure Boot on All Major Motherboards (ASUS, MSI, Gigabyte, Dell, HP)

Secure Boot is a UEFI firmware feature that helps protect your PC from malicious boot software, rootkits, and other low-level threats. It works by allowing only trusted, signed code to run during startup.

If you’re upgrading to Windows 11 or simply want a stronger security posture, enabling Secure Boot is essential. This guide will walk you through the exact steps for ASUS, MSI, Gigabyte, Dell, and HP systems, plus troubleshooting tips when the option is missing or greyed out.

Why Secure Boot matters

Secure Boot is a UEFI firmware feature that prevents unsigned or untrusted boot software (bootloaders, UEFI drivers, some rootkits) from loading during the start process. It’s a fundamental pre-boot protection used by modern OSes and is part of Microsoft’s recommended platform protections.

Note: Windows 11 expects UEFI firmware that is Secure Boot capable (the device must be UEFI/Secure-Boot capable). In practice, many upgrades and installs require switching from Legacy/CSM to UEFI and enabling Secure Boot. Check the official Windows 11 requirements for details.

Before you begin — checklist (do these first)

1. Full backup of important files + create a Windows recovery drive (USB) or a full image. Changing firmware/boot mode can leave the system unable to boot.
2. Check current boot/secure-boot status in Windows: press Win+R → type msinfo32 → look at BIOS Mode and Secure Boot State (UEFI / On vs Legacy / Off). (Dell)
   • Or run PowerShell (Admin): Confirm-SecureBootUEFI which returns $True if Secure Boot is enabled.
3. If BIOS Mode = Legacy and/or disk is MBR, you will need to convert the system disk to GPT to switch to UEFI (see next section). Microsoft’s MBR2GPT is the supported, non-destructive tool for Windows 10/11 when conditions are met — read the official doc and run the validation step before converting.
4. Update firmware (BIOS/UEFI) to the latest stable release from your vendor before changing settings (bugs get fixed that affect Secure Boot).
5. Have the exact motherboard/laptop model to hand and the vendor support pages (links at the end of the article).

Universal step-by-step workflow (quick version)

This sequence works for most systems — detailed vendor steps below.

1. Backup & recovery — do it now.
2. Confirm MSINFO / PowerShell to know current state. (Dell, Microsoft)
3. If needed, convert MBR → GPT (only if your system uses Legacy/MBR and you need UEFI): use Microsoft’s mbr2gpt validation then convert. Example (Admin cmd): mbr2gpt /validate /disk:0 /allowFullOS mbr2gpt /convert /disk:0 /allowFullOS Read Microsoft’s guidance — there are validation requirements (free partitions, partition count, etc.).
4. Enter UEFI/BIOS (common keys: Del, F2, F10, Esc — vendor specifics below).
5. Switch Boot Mode from Legacy/CSM to UEFI or set Boot List Option/Uefi first (if present). Many systems hide Secure Boot while CSM/Legacy is enabled. (Dell, GIGABYTE Download)
6. Find Secure Boot (usually under Boot or Security). Change OS Type to Windows UEFI or change Secure Boot Control to Enabled. If prompted to enroll or restore default/factory keys, choose Install/Restore Factory Keys (PK/KEK/db). This moves the platform from Setup → User mode and activates Secure Boot. Vendor pages give exact labels — see below. (ASUS Global, GIGABYTE Download)
7. Save & Exit and boot into Windows. Confirm msinfo32 shows BIOS Mode: UEFI and Secure Boot State: On (or use the PowerShell cmdlet again).

If the Secure Boot option is missing or greyed out — common causes & fixes

• CSM/Legacy mode is enabled — disable CSM or set boot mode to UEFI. (Many vendor manuals state Secure Boot is configurable only when CSM is Disabled.) (GIGABYTE Download)
• Disk is MBR / OS installed in Legacy mode — convert to GPT (see MBR2GPT above). (Microsoft)
• Platform / Setup Mode (no Platform Key enrolled) — you must Install/Restore factory keys (PK/KEK/db). The BIOS option often reads Restore Factory Keys, Install Default Secure Boot Keys or Provision Factory Default Keys. That enrollment moves the platform to User Mode and allows enabling Secure Boot. (MSI Download, GIGABYTE Download)
• Option locked by supervisor password rules — some firmware requires you set a supervisor/admin password before you can change secure-boot or key settings. If that is the case, follow the vendor guide to set and later clear it if desired. (GIGABYTE Download, Microsoft)
• Outdated firmware — update BIOS/UEFI from the vendor site and retry.
• If everything fails: load factory defaults, restore factory keys, or contact vendor support.

Vendor-specific step-by-step

ASUS (desktop & ROG boards): Typical flow: Press Del (or F2) at POST → press F7 (Advanced Mode) → Boot or Security → Secure Boot → set Secure Boot Control = Enabled (or set OS Type to Windows UEFI Mode). If you see an enrollment prompt, pick Install/Remove Secure Boot Keys → Install Default Secure Boot Keys (Restore/Provision factory keys) → Save & Exit. ASUS’s support pages show exactly these screens and notes.

MSI
Enter BIOS with Delete → Advanced view (F7) → Settings → Security or Advanced → Windows OS Configuration → Secure Boot. Set Secure Boot to Enabled and Secure Boot Mode to Standard (not Custom), then choose Restore Factory Keys / Provision keys when prompted. MSI documentation/FAQ details Secure Boot Mode and key restoration. If you get “Platform in Setup Mode” messages, restoring factory keys or provisioning PK will fix it. (MSI, MSI Download)

GIGABYTE / AORUS
During POST press Delete → in UEFI Setup go to BIOS > Secure Boot or Peripherals/Boot > Secure Boot (menu names differ by model). Note: many Gigabyte manuals state Secure Boot is configurable only when CSM Support = Disabled. Set CSM off, set Secure Boot = Enabled, choose Standard mode and Provision Factory Default Keys / Install Default Keys if available. Manuals contain screenshots and exact menu paths per chipset.

Dell (laptops & desktops)
During POST press F2 → navigate to Boot Configuration → set Boot List Option to UEFI (not Legacy) → find Secure Boot and set to Enabled → Apply / Save & Exit. Dell KB also shows how to check the state in Windows (msinfo32) and notes that some models require setting UEFI first. (Dell)

HP (laptops & workstations)
Power on → press Esc repeatedly to open Startup Menu → press F10 for BIOS Setup → go to Security or System Configuration > Boot Options → locate Secure Boot and set to Enabled. If Secure Boot is greyed out, try Load HP Factory Default Keys (Boot Options) then enable Secure Boot. HP support pages explain the factory-keys flow and the Esc/F10 entry sequence. (support.hp.com)

Example: converting and enabling (practical Windows example)

1. In Windows, run msinfo32. If BIOS Mode = Legacy and Secure Boot State = Off, continue. (Dell)
2. Open an elevated Command Prompt and validate disk 0: mbr2gpt /validate /disk:0 /allowFullOS If validation passes, convert: mbr2gpt /convert /disk:0 /allowFullOS (Follow the Microsoft doc for prerequisites and failure messages.) (Microsoft)
3. Reboot, enter BIOS/UEFI (Del / F2 / F10 / Esc depending on vendor), set Boot Mode to UEFI, disable CSM if present. Save and exit. (GIGABYTE Download, Dell)
4. Re-enter BIOS → enable Secure Boot and Install/Restore Default Keys if prompted. Save & Exit.
5. In Windows, confirm via msinfo32 or Confirm-SecureBootUEFI. (Dell, Microsoft)

Troubleshooting quick hits (what to try if things break)

• If Windows won’t boot after switching to UEFI: boot from recovery USB → advanced options → command prompt; ensure EFI boot entry exists, or restore BIOS to Legacy and revert, then troubleshoot conversion step.
• If Secure Boot still shows Off after enabling in BIOS: Restore factory keys / Provision default keys (switching from Setup → User mode). See Microsoft & vendor docs. (Microsoft Q&A, MSI Download)
• If Secure Boot option requires a password: set a supervisor/admin password in BIOS (temporary), change Secure Boot settings, then clear the password if you wish (follow vendor guidance!). (GIGABYTE Download)
• If enabling SB causes a black screen or no boot: revert to previous BIOS setting, try restoring default keys, or clear CMOS as last resort. Many users encounter GPU/old Option ROM incompatibilities when Secure Boot is enforced; updating firmware/drivers often fixes it. (MSI Forum)

Notes for Linux / dual-boot users

Linux distributions usually support Secure Boot using a signed shim bootloader (e.g., Ubuntu’s shim-signed). If you plan to enable Secure Boot and run Linux or custom kernel modules, read the distro guidance about shim, MOK (Machine Owner Key) enrollment and signing kernel modules — otherwise Secure Boot may block unsigned modules. Canonical/Ubuntu documentation and the distro’s Secure Boot pages explain how to enroll keys or use MOK. Read this guides: (Ubuntu Wiki, Documentation Ubuntu)

Also be aware: changes to the ecosystem of signing keys (Microsoft CA key rotations) can affect some Linux workflows — keep firmware and distro packages updated. Read This article (Tom’s Hardware)

Short recap / cheat-sheet

• Check msinfo32 (BIOS Mode / Secure Boot State).
• If Legacy/MBR → validate & convert with mbr2gpt.
• Enter UEFI (Del / F2 / F10 / Esc depending on vendor).
• Disable CSM, set Boot Mode to UEFI, enable Secure Boot, Install/Restore factory keys. (Vendor menu labels vary.)
• Confirm with msinfo32 or Confirm-SecureBootUEFI.

Final Thoughts

Enabling Secure Boot is a one-time setup that enhances your PC’s security and ensures compatibility with Windows 11. By following the exact vendor steps above, you can activate it safely without risking data loss.

FAQ — Enabling Secure Boot

1. What is Secure Boot?

Secure Boot is a UEFI firmware security feature that ensures your PC only boots trusted software signed by approved keys. This helps block rootkits, bootkits, and other malicious low-level programs from loading at startup.

2. Why should I enable Secure Boot?

• Windows 11 requirement — Microsoft lists Secure Boot support as a minimum requirement for Windows 11.
• Improved security — Blocks unauthorized bootloaders and malicious pre-OS code.
• Prevents firmware-level attacks — Protects before your antivirus or OS even loads.

3. Can I enable Secure Boot without losing data?

Yes — if your system is already in UEFI mode with a GPT disk, you can enable Secure Boot without reinstalling Windows. If you need to convert from MBR to GPT, use Microsoft’s mbr2gpt tool, which is non-destructive when used correctly. Always back up first.

4. Why is the Secure Boot option missing in my BIOS?

Common reasons:

• CSM/Legacy mode enabled — Disable CSM to reveal the Secure Boot option.
• Disk in MBR format — Convert to GPT first.
• Keys not provisioned — Install or restore factory keys.
• Firmware restrictions — Some BIOS require setting an admin password before enabling.

5. Will enabling Secure Boot affect Linux dual-boot systems?

Some Linux distributions support Secure Boot via signed bootloaders (shim). You may need to enroll a Machine Owner Key (MOK) for custom kernels or unsigned drivers. Check your distro’s Secure Boot documentation.

6. How do I check if Secure Boot is already enabled?

• Press Win + R, type msinfo32, and check Secure Boot State.
• Or run in PowerShell: powershellCopierModifierConfirm-SecureBootUEFI

7. Can I play games like Valorant or Fortnite without Secure Boot?

Some anti-cheat systems (e.g., Vanguard, Easy Anti-Cheat) require Secure Boot to be enabled in addition to TPM 2.0. Without it, the game may not launch.

8. Do I need both TPM and Secure Boot for Windows 11?

Yes — both are part of the Windows 11 security baseline. TPM handles hardware-based encryption and key storage, while Secure Boot ensures trusted booting.

9. How do I restore Secure Boot factory keys?

In BIOS, look for Install Default Keys, Restore Factory Keys, or Provision Factory Keys. This enrolls the Platform Key (PK) and other necessary keys so Secure Boot can function.

10. Will enabling Secure Boot slow down my PC?

No — Secure Boot runs during startup and doesn’t impact performance once the OS loads.

Useful links / vendor docs

• Microsoft: Secure Boot overview / keys guidance. (Microsoft Learn)
• Microsoft: MBR2GPT documentation (validation & convert). (Microsoft Learn)
• ASUS: How to enable/disable Secure Boot (official). (ASUS Global)
• MSI: FAQ & BIOS docs (Secure Boot Mode / factory keys). (MSI, MSI Download)
• Gigabyte: BIOS manual references (Secure Boot / CSM notes). (GIGABYTE Download)
• Dell: How to enable Secure Boot (KB article + video). (Dell)
• HP: Secure Boot support pages + community troubleshooting. (support.hp.com, HP Support Community)