Enable Secure Boot on Gigabyte Z390 Aorus (for Win11)

By

PinLinkedIn

The introduction of Windows 11 brought along several hardware requirements that had previously been optional or overlooked, one of which is Secure Boot. If you’re running a system based on a Gigabyte Z390 Aorus motherboard, enabling Secure Boot is essential not only for installing or upgrading to Windows 11 officially but also for enhancing the overall integrity and security of your operating system. Whether you’re building a new system or updating an existing machine, ensuring Secure Boot is activated can protect against low-level malware, rootkits, and unauthorized bootloaders.

TLDR:

If you want to install or upgrade to Windows 11 on a Gigabyte Z390 Aorus motherboard, you need to enable Secure Boot in BIOS. Secure Boot ensures that only trusted bootloaders and software can start your computer, improving system stability and security. It’s a straightforward process if you follow each step precisely. This guide offers a thorough walkthrough for enabling Secure Boot on your Z390-based system.

Understanding Secure Boot

Secure Boot is part of the UEFI (Unified Extensible Firmware Interface) specification, designed to ensure that a computer boots using only software that is trusted by the Original Equipment Manufacturer (OEM). During the boot process, Secure Boot checks each piece of boot software against a database of approved software signatures. If the signatures match, the system boots normally. If not, the system halts to prevent execution of potentially malicious code.

Microsoft requires Secure Boot to be enabled for Windows 11 as part of its drive to enforce trusted platform modules (TPMs), UEFI firmware, and other modern security standards.

Requirements Before You Begin

  • Gigabyte Z390 Aorus motherboard installed and functioning
  • UEFI firmware must be enabled (legacy BIOS mode must be off)
  • TPM 2.0 module enabled or firmware-based TPM (fTPM) activated
  • Windows 10 or earlier version already installed, or a bootable Windows 11 installation media prepared

If your system is already running with a traditional MBR (Master Boot Record) partition scheme, you’ll need to convert it to GPT (GUID Partition Table) before enabling Secure Boot.

Step-by-Step Guide to Enable Secure Boot

1. Enter BIOS Setup

To access the BIOS on your Gigabyte Z390 Aorus motherboard:

  1. Restart your computer.
  2. As soon as the system begins to boot up, press the Delete key repeatedly until the BIOS screen appears.

You are now inside the UEFI setup utility.

2. Switch to UEFI Mode

Secure Boot is not compatible with Legacy BIOS mode. To ensure UEFI mode is enabled:

  1. In the BIOS, navigate to the ‘BIOS’ tab.
  2. Find the setting for CSM (Compatibility Support Module) and disable it.
  3. Disabling CSM will automatically switch the system to UEFI-only mode.

Important: Disabling CSM can prevent your system from booting if your drive is still using MBR. You may need to convert your drive to GPT first.

3. Enable TPM 2.0 (If Required)

The Z390 Aorus motherboards support firmware-based TPM through Intel’s Platform Trust Technology (PTT):

  1. Go to the ‘Peripherals’ tab.
  2. Select Intel Platform Trust Technology (PTT) and set it to Enabled.

This step is crucial since Secure Boot depends on a functional TPM.

4. Enable Secure Boot

  1. After ensuring CSM is disabled, go to the ‘Boot’ tab.
  2. Locate the Secure Boot option and select Enabled.

When you first enable Secure Boot, it may show that the system is in ‘Setup Mode’. You may need to install the Secure Boot keys or enable default keys. Here’s how:

  • Go to Secure Boot Mode and set it to Standard.
  • You’ll be prompted to install default Secure Boot keys — confirm this action.

After installing the Secure Boot keys, the system status should change to ‘Enabled’.

5. Save and Exit BIOS

Press F10 to save changes and exit the BIOS setup utility. Your system will restart.

Once back in Windows (or Windows installation environment), Secure Boot should now be activated. You can confirm this using the MSInfo32 system tool.

How to Verify Secure Boot Status in Windows:

  1. Press Windows + R to bring up the Run dialog box.
  2. Type msinfo32 and press Enter.
  3. In the System Information window, look for “Secure Boot State”.

If you see “On”, Secure Boot is successfully enabled.

Converting MBR to GPT (If Necessary)

If your system used CSM previously and boots in legacy mode, your drive is likely formatted with MBR. Secure Boot and UEFI require GPT. Here’s how to convert it:

  • Back up your data to avoid loss.
  • Open Command Prompt as Administrator and type mbr2gpt /convert /allowfullos.
  • Wait for the process to complete. Then reboot into BIOS and disable CSM as above.

This tool (mbr2gpt) is built into Windows 10 and 11 and makes conversion easy without reinstalling the operating system.

Troubleshooting Tips

  • Problem: System does not boot after disabling CSM.
    Fix: Make sure boot drive is using GPT. If not, follow the conversion steps above.
  • Problem: Secure Boot remains in Setup Mode.
    Fix: Install standard Secure Boot keys in BIOS by switching mode from ‘Custom’ to ‘Standard’.
  • Problem: TPM is not recognized.
    Fix: Double-check that Intel PTT is enabled in BIOS and that no discrete TPM module is interfering.

Important Notes Regarding Windows 11 Installation

When installing or upgrading to Windows 11, Microsoft checks for Secure Boot and TPM 2.0. If any of these are missing, the installer may block the process or issue warnings. By following the procedures above, your Z390 Aorus system will meet these requirements without needing new hardware.

Also, once Secure Boot is enabled, be cautious when modifying bootloaders or installing unsigned drivers at boot level. Secure Boot may block these changes, which may interfere with advanced tweaks or dual-boot setups using unsigned Linux bootloaders.

Conclusion

Enabling Secure Boot on your Gigabyte Z390 Aorus motherboard is a critical step in preparing your system for Windows 11 and securing the early stages of your system’s startup process. By following the step-by-step instructions provided, you ensure compliance with Windows 11 requirements while strengthening your system’s defense against low-level attacks. Always make backups before making BIOS-level changes, and ensure your system drive uses the proper format to avoid boot errors.

If you encounter any issues, the Gigabyte support site and community forums provide additional guidance tailored to your specific motherboard variant. With Secure Boot enabled, your system is not just ready for Windows 11—it’s also safer and more secure.

PinLinkedIn