Home Windows

How to Enable or Disable Secure Boot for ASUS Motherboard

By Abhishek Silwal

How to Enable or Disable Secure Boot for ASUS Motherboard

Secure boot is a security feature on your PC that checks the digital signature of each driver, operating system (OS), and even boot software like EFI applications. Only if they are valid can you boot into your OS.

This way you prevent external threats that load during the boot loading process from harming your system. Secure boot is also essential if you want to install Windows 11 on your PC.

You need to navigate the BIOS to enable or disable secure boot. However, the process to do so differs significantly depending on your motherboard. So, we have created this article to help you set this feature on an ASUS motherboard system.

How to Disable Secure Boot

Secure boot is a great feature to protect your system from threats. However, if you are dual booting a non-Microsoft Operating System, such as Linux, it won’t support all Microsoft security keys. Due to this reason, you won’t be able to boot the other OS properly.

So, you may want to disable the Secure Boot feature in such a scenario. Here are the necessary steps to do so:

  1. Restart or Power up your PC.
  2. During startup, immediately press the F2 or Del key depending on which your BIOS key is to get to BIOS. You may need to press it multiple times to get the timing right.
  3. On UEFI mode, press F7 to enter Advanced Mode. You don’t need this step for Legacy mode.
    Advanced-mode
  4. Go to Security > Secure Boot. Select Secure Boot Control and set it to Disabled.
    Secure-boot-control-Disabled
  5. If the option doesn’t exist, go to Boot > Secure Boot. Pick OS Type and set it to Other OS.
    os-type-other-os
  6. Press F10 and select Yes to save and exit.

You can also disable Secure Boot by deleting the platform key. However, this removes the key altogether and prevents you from enabling the feature next time. So you need to create its backup first if you use this method. Here’s what you need to do:

  1. Insert a working FAT32 USB flash drive into your PC and get to the Secure Boot configuration.
  2. Go to Key Management and select Save Secure Boot Keys > OK > OK.
    save-secure-boot-keys
  3. Then, select the PK Management option and then Delete Key > OK.
  4. Press F10 and pick Yes to save the changes and exit the BIOS.

How to Enable Secure Boot

You can enable secure boot in a similar manner to disabling it. And you can only do so from your BIOS. In this section, we have also included how you can convert your partition style to GPT and change BIOS mode to UEFI.

You don’t really need these processes if you simply want to enable secure boot. However, if you want to enable secure boot for installing Windows 11 or upgrading to this software, you definitely need to execute these steps. Also, secure boot works better even in previous Windows versions if you have a GPT partition and a UEFI BIOS mode.

Regardless, if you only need to enable secure boot to protect your system, you can skip them.

Convert Partition to GPT

The GUID Partition Table is the more advanced and efficient partition standard compared to the old Master Boot Record. Most modern systems are made to use the GPT partition, while some still retain support for MBR.

If we talk about older Windows OS, Windows earlier than Vista requires MBR partition, Windows 7 and Vista only support GPT on 64-bit after you enable a few settings. The later Windows system up to Windows 10 support both partition styles. However, GPT is a necessity for Windows 11.

First, you need to check if you have a GPT or an MBR partition. To do so,

  1. On an active Windows session, open Run by pressing Win + R.
  2. Enter diskmgmt.msc to open Disk Management.
  3. Right-click on your disk (with the OS or where you want to install Windows 11) and select Properties.
    disk-properties
  4. Go to the Volumes tab and look at Partition style.
    Partition-Style

If it shows GUID Partition Table (GPT), you can move on to the next step. However, if it shows Master Boot Record (MBR),

  1. Boot into Advanced Startup options. You can do so by pressing Shift while clicking on the Restart power option.
  2. On the Advanced Startup options, go to Troubleshoot > Advanced options > Command Prompt.
    command-prompt-from-advanced-startup-menu
  3. Enter the command mbr2gpt /convert
  4. If you have more than one disk, you need to use the following commands:
    • diskpart
    • list disk (note the disk number for the disk you wish to convert)
    • exit
    • mbr2gpt /convert /disk:0 (Here, replace 0 with the above disk number)
      mbr-to-gpt-convert

Change BIOS Mode to UEFI

Most modern devices enable UEFI mode by default. However, it may be disabled in your case. If you are converting your partition to GPT, you definitely want to set your BIOS mode to UEFI. Here’s how you can do so on an ASUS motherboard:

  1. Restart or Power up your PC.
  2. During startup, immediately press the F2 or Del key depending on which your BIOS key is to get to BIOS. You may need to press it multiple times to get the timing right.
  3. If your PC is on UEFI mode (shows a more visual interface), you can go directly to the next step.
  4. Otherwise, go to Boot > Launch CSM and set it to Disabled.
    disable-launch-csm
  5. If you don’t get the Launch CSM option or it’s grayed out, go to Compatibility Support Module.
  6. Select Launch CSM and set it to Disabled.
  7. Press F10 and select Yes to save and exit.

Enable Secure Boot

Finally, here are the steps to enable Secure Boot on the ASUS system. You can usually reverse the steps for disabling this feature. However, there are a few additional things you need to do, which we have explained in detail down below:

  1. Get to your BIOS.
  2. Press F7 to enter Advanced Mode. If you are on Legacy Mode, continue as it is.
  3. Go to Security > Secure Boot. Then, select Secure Boot Control and set it to Enabled.
    Security-Secure-boot
  4. If the option doesn’t exist, go to Boot > Secure Boot. Pick OS Type and set it to Windows UEFI Mode.
    Boot-Secure-boot-1
  5. Go to Key Management.
  6. Make sure all the keys, signatures, and timestamps are set to Factory or Default. You need to select each and click Update > Yes > OK to do so.
    PK-update
  7. If you don’t get the Update option, you have two choices,
  8. If you want to restore the keys you deleted earlier,
    • Select Cancel for the Set New Key.
    • Insert the USB drive where you backed up the keys and restart the PC.
    • Go through the steps above to get to Key management.
    • Then select PK Management and the Set New Key > OK.
      pk-management
    • For Load the default PK page, choose No.
    • On the Select a File System page, select the USB drive you inserted and click OK.
    • Choose PK > OK > Authenticated Variable > OK > Yes > OK.
      select-pk
  9. If you can’t restore the keys or want to set the default keys, select OK for the Set New Key.
  10. Press F10 and select Yes to save and exit.