Skip to main content

How to enable Secure Boot on your Gaming PC (MSI)

Jules
Updated
MSI Motherboard Specific Guide

This guide is written specifically for NZXT Gaming PCs using Asus branded motherboards.

Screenshots were captured on the MSI MAG Z790 TOMAHAWK MAX WIFI motherboard.

Secure Boot is a vital feature found on many motherboards that is necessary for newer operating systems, software, and features such as Secure Drive Encryption using tools such as BitLocker.  A common reason Secure Boot will need to be enabled for Gaming PCs in particular is as a requirement for anti-cheat used in various games such as Valorant, EA Sports FC, Battlefield 6, etc.  If you attempt to run these games without Secure Boot enabled, the game may refuse to launch or will provide an error popup.

Before Starting - Updating your Motherboard UEFI

Before continuing through this guide, it is highly recommended to make sure that your system's UEFI (also known as the BIOS) is up-to-date.  For more information on updating your UEFI, please check the guide linked below:

Preparing for Secure Boot

To adjust the Secure Boot settings you will need to reboot your PC into the UEFI.  This can be done by rebooting your PC and pressing the Delete key at the MSI splash screen as shown below:

Once in the UEFI, make sure that you are in Advanced Mode by checking the top of the screen:

  • If the title shows Advanced (F7), this means that you are in Easy Mode and can switch to Advanced by clicking the title or pressing the F7 key.
  • If the title shows EZ Mode (F7), this means that you are already in Advanced Mode.

In order to enable Secure Boot, there are two settings that must be confirmed:

  • Compatibility Support Module (CSM) is Disabled.
  • Trusted Platform Module (TPM) is Enabled.

Compatibility Support Module

In order to enable Secure Boot and the Trusted Platform Module, the Compatibility Support Module (CSM) must be set to Disabled.  This setting normally will block the use of Secure Boot, however if both settings are enabled it will prevent the PC from properly starting.

What is Compatibility Support Module (CSM)?
The Compatibility Support Module (CSM) is a setting that allows modern UEFI to support older Legacy operating systems.  This setting is generally unused with most gaming PCs, and is only necessary for older operating systems that do not support newer UEFI based systems normally.

To disable CSM, click Settings and choose Advanced to find the BIOS CSM/UEFI Mode setting.  This should be set to UEFI.

If this option was changed from CSM to UEFI, return to the top of Settings and choose Save & Exit followed by Save Changes and Reboot to restart the PC and then re-enter the UEFI.

Trusted Platform Module

For all supported NZXT Gaming PCs, we will use the Firmware TPM built-in to the motherboard.  These settings can be found selecting Settings followed by Security and then Trusted Computing:

  • Security Device Support should be set to Enable
  • TPM Device Selection should be set to fTPM 2.0
I don't see TPM Device Selection

Depending on the model of your motherboard, this setting may be under an alternative name.  Older MSI motherboards will refer to it under one of the following names depending on the type of CPU used:

  • Intel Motherboard:  TPM Device Selection will still be present, but the option to select will be called PTT
  • AMD Motherboard:  The setting will instead be labelled as AMD fTPM switch which will need to be set to AMD CPU fTPM

To confirm the setting is active, check the top of the settings above Security Device Support to ensure that TPM 2.0 Device Found is visible.  With the Trusted Platform Module enabled, we are ready to enable Secure Boot.

Enabling Secure Boot

To enable Secure Boot, click Settings followed by Security and choose Secure Boot.

In the Secure boot settings, Secure Boot should be set to Enabled.  If it is Disabled, adjust the setting and then click Settings followed by Save & Exit and choose Save Changes and Reboot to restart your PC and load into Windows.

If you receive an error stating Repeat operation after enrolling Platform Key(PK), you will need to manually restore the Factory Keys.  To do this, change Secure Boot Mode to Custom and select Key Management.

In the Key Management options, the lower section of the settings should show various Secure Boot variables including the Platform Key and other information.  For this situation it will likely show 0/0/No Key.  Select Enroll all Factory Default keys, then click Yes when prompted to Install factory defaults.  If you receive a second prompt that says Reset Without Saving, click Yes and then re-enter the UEFI after the PC reboots.

After re-entering the UEFI, open the Secure Boot settings again and set Secure Boot to Enabled.

To complete the process, click Settings and select Save & Exit and choose Save Changes and Reboot to restart your PC and load into Windows.

Checking Secure Boot in Windows

The best way to check if Secure Boot is properly enabled is either to launch a program with the Secure Boot requirement or to check the System Information app.  You can open the System Information app by pressing the Windows Key + R on your keyboard to open the Run box, then type in msinfo32 and press Enter.

In the System Information app, look for Secure Boot State which should appear as On.

Related to

Related articles

Comments

0 comments

Article is closed for comments.

Powered by Zendesk