Setting up Secure Boot on Gigabyte Z390 UD Motherboard

[caveman123]

Well if it's not one thing it's another with computers, but having trouble enabling secure boot ony PC in preparation for Windows 11. 

 

System:

I5 8400

16GB Ram

GTX 1070

Gigabyte Z390 UD motherboard

 

I have already switched the bios to UEFI using the mbr2gpt comand but when I go to enable secure boot it give me a notice that CSM is running even though I disabled it. 

 

Any suggestions?  

 

[leclod]

I follow that list, maybe you'll find what you need,

1 - Make sure you unplug all SATA and USB drives, the M.2 drive has to be the only drive installed.
2 - Go into the bios, under the boot tab there is an option for CSM, make sure it is disabled.
3 - Click on secure boot option below and make sure it is set to other OS, Not windows UEFI.
4 - Click on key management and clear secure boot keys.
5 - Insert a USB memory stick with a UEFI bootable ISO of Windows 10 on it.
6 - Press F10 to save, exit and reboot.
7 - Windows will now start installing to your NVME drive as it has its own NVME driver built in.
8 - When the PC reboots hit F2 to go back into the BIOS, you will see under boot priority that Windows boot manager now lists your NVME drive.
9 - Click on secure boot again but now set it to Windows UEFI mode.
10 - Click on key management and install default secure boot keys
11 - Press F10 to save and exit and windows will finish the install.

[Kisai]

You need to turn the TPM on. 

 

Lemme find the manual.

https://download.gigabyte.com/FileList/Manual/mb_manual_z390-d_e.pdf

 

The manual says it's under Trusted Computing, under the peripherals menu. You may need to update the BIOS to the current version and have an 8th gen CPU for it to show up.

 

If the TPM is not enabled, secure boot can not be turned on.

If the Legacy CSM is turned on,  secure boot can not be turned on.

[leclod]

2 minutes ago, Kisai said:

If the TPM is not enabled, secure boot can not be turned on.

 

I don't understand. I can't install W11 because I can't enable TPM but I have Secure Boot enabled

[Kisai]

17 minutes ago, leclod said:

I don't understand. I can't install W11 because I can't enable TPM but I have Secure Boot enabled

No, you can't install Windows 11, because you do not have the TPM enabled for Secure Boot to be enabled.

 

Secure boot only ensures that the boot chain is secure, so if the BIOS doesn't have the keys for the OS, it won't load the OS.

 

The TPM is a requirement, but 8th gen Intel CPU's and later should have a built in "fTPM"

 

https://www.gigabyte.com/Press/News/1925

 

As I mentioned, the latest BIOS is probably required.

[leclod]

27 minutes ago, Kisai said:

No, you can't install Windows 11, because you do not have the TPM enabled for Secure Boot to be enabled.

 

Bottom right, Secure Boot enabled

[Kisai]

2 hours ago, leclod said:

Bottom right, Secure Boot enabled

You're running Windows 10 Home.

 

Windows 10 Home does NOT require TPM to be enabled for secure boot, as it doesn't include bitlocker, and basically has no reason to use the TPM, though MS Outlook certainly will use it. Note it will say the TPM is not present, even if it is, but isn't enabled in the BIOS.

 

https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq

 

Windows 11 requires a TPM 2.0. Presumably to enable Measured Boot and Windows Hello for Business by default.

 

Secure Boot and TPM can be turned off independently for Windows 10 post-installation. Secure Boot only verifies the OS is allowed to boot. However once the TPM is invoked, things change.

 

https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/tpm-recommendations#why-tpm-20

 

 

Measured boot is the system requiring TPM.

https://docs.microsoft.com/en-us/azure/security/fundamentals/measured-boot-host-attestation

 

Windows Hello also requires it. Bitlocker with modern standby requires TPM 2.0

 

At any rate, to answer the original poster's question again. They said Windows 11. That needs the TPM turned on. Presumably they are a Windows Insider and would know this. Windows has to boot in UEFI mode with CSM's disabled to have Secure Boot enabled.

 

Turning the CSM off may have consequences for USB devices such as keyboards, mice and bootable USB/SATA drives. So it should only be turned off if the OS boots without it. If OS will not boot/install with CSM turned off, then you will be stuck until you can reinstall Windows.

[leclod]

1 hour ago, Kisai said:

You're running Windows 10 Home.

 

 

Windows 10 Home does NOT require TPM to be enabled for secure boot, as it doesn't include bitlocker, and basically has no reason to use the TPM, though MS Outlook certainly will use it. Note it will say the TPM is not present, even if it is, but isn't enabled in the BIOS.

 

https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq

 

Windows 11 requires a TPM 2.0. Presumably to enable Measured Boot and Windows Hello for Business by default.

 

 

Secure Boot and TPM can be turned off independently for Windows 10 post-installation. Secure Boot only verifies the OS is allowed to boot. However once the TPM is invoked, things change.

 

https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/tpm-recommendations#why-tpm-20

 

 

 

 

Measured boot is the system requiring TPM.

https://docs.microsoft.com/en-us/azure/security/fundamentals/measured-boot-host-attestation

 

Windows Hello also requires it. Bitlocker with modern standby requires TPM 2.0

I have Secure Boot while I could also have TPM (with slightly different hardware) which made me think they were 2 separate instances.

I'd like to be able to argue with you but I'm not, so I give up.

This tech stuff in english is too dry and mighty for me to delve in.