Secure Boot is often enabled by default on ASUS motherboards with UEFI BIOS. I wanted to have a dual-boot setup on my new PC, and that is not possible when secure boot is enabled. That meant having to identify the Asus BIOS key for the motherboard, enter the Asus BIOS utility and disable secure boot on my Windows 10 running PC.

This guide is created to reflect the process that I followed to disable secure boot using Asus UEFI BIOS Utility on Asus X99-Deluxe motherboard. You can use this guide to identify the motherboard you have if you are not sure which one it is.

Prerequisite for Windows UEFI Mode: GPT Partition Style

Installing Windows on UEFI-based systems requires that your hard drive partition style has to support UEFI mode or at least be in a legacy BIOS-compatibility mode. You might run into an error as below, which indicates that your PC is booted in UEFI mode, but your hard drive does not support it.

“Windows cannot be installed to this disk. The selected disk is not of the GPT partition style”

error-require-gpt-partition-style

The GPT partition style on your hard drive is required for the UEFI mode. Another advantage of GPT partition style is that you can set up drives of size greater than 4 GB, and have as many partitions on it as you need. The easiest way to apply the GPT partition style to your hard drive is to do it over the command prompt using the installation disk or let a Windows-based tool to handle it for you.

Convert Your Hard Drive to GPT Partition Style Using the Command Prompt

  1. Plug-in the Windows setup disk or USB and boot your PC in UEFI mode.
  2. Once in Windows setup, press shift + F10 to open a command prompt window.
  3. Open the disk partition tool with diskpart.
  4. List and identify the disk to format with list disk.
  5. Select the drive to format and convert to GPT.
    select disk <disk number here>
    clean
    convert gpt
    exit
  6. Close the command prompt and continue.

convert-to-gpt-on-command-prompt

Convert Your Hard Drive to GPT Partition Style Without Losing Your Data

If you want to convert a disk in use to the GPT format, all the data on the disk would be lost if you go with the command prompt approach above. You can avoid this problem by using a Windows Partition Manager from EaseUS.

EaseUS partition master can help you convert the hard drive to GPT. In addition, it can help you create, merge, remove, delete or wipe partitions. It can also help you with data recovery in case of deleted or lost partitions. It has an effective free version as well and the pro version offers more advanced features like – converting to GPT partition style without data loss! It is not too expensive and can be a valuable addition to your toolkit.

This Windows Partition Manager has been mentioned by a few of our readers before, and another one emailed me recently mentioning how useful it was for him while setting up a dual boot system. He also mentioned that the support team from EaseUS was very helpful with any questions he had, and highly recommended the tool. It comes in three variations: Partition Master Pro (1 PC), Partition Master Server (1 Server) and Partition Master Unlimited (Unlimited PCs / Servers)

How to Enter Asus BIOS

On Your Asus Laptop

The Asus BIOS key that you need to know is F2

  1. Press F2, hold it and power on your laptop.
  2. Keep the F2 key pressed till the Asus BIOS screen displays.

This approach should work on Windows 7 and earlier operating systems.

On Your PC With an Asus Motherboard

The Asus BIOS key you need to know is DEL (Delete)

  1. Power On your PC or if it is already on, restart it.
  2. Wait for the screen with the Asus logo to display
  3. Hit DEL key to load Asus BIOS utility. You have only a few seconds to do so before the operating system starts loading.

Note: Some Asus systems have the Esc or F10 keys as the Asus BIOS entry keys. Pay attention to the loading screen with the Asus logo. It should mention what specific key is to be used to enter Asus BIOS utility on your machine.

On Systems Running Windows 8 or Windows 10

Since Windows 8 and Windows 10 leverage Fast Startup, you would not be able to get to the BIOS during the system start-up sequence. Instead, you need to restart your computer to get there. Detailed steps can be seen in the video below.

Step-by-Step: Make A Backup of Existing Keys and Disable Secure Boot

  1. Plug-in a USB drive.
  2. Restart your computer and enter into the BIOS utility by pressing the Asus BIOS key applicable to your system. In my case, it was DEL. Keep an eye out for instructions on the first screen. This should load up the Asus UEFI BIOS utility interface.ASUS UEFI BIOS Utility
  3. Go into the Advanced Mode (F7 or any other key as specified).

ASUS UEFI BIOS Utility - Advanced Mode settings

  1. Go into the ‘Secure Boot‘ option under the Boot section.ASUS UEFI BIOS Utility - Boot settings
  2. Ensure the proper OS Type is selected, and go into Key Management.ASUS UEFI BIOS Utility - Secure Boot enabled
  3. Select ‘Save Secure Boot Keys‘ and press enter.Save secure boot keys
  4. Select the USB drive when asked to ‘Select a File System‘.Choose the USB
  5. Four key files named PK, KEK, DB, and DBX are saved to the USB.Keys saved
  6. Delete Platform Key (PK) to disable secure boot. (Note: Do not delete other keys)Delete Key
  7. Save and restart to apply settings (usually F10) and boot with ‘secure boot’ disabled.DIsable Secure boot on ASUS motherboard

Step-by-Step: Restore Keys and Enable Secure Boot

  1. Follow steps 1 to 5 from the previous section. Use the USB drive that has the backed up keys
  2. Go to ‘Load Default PK‘ and press enter. You have two options to set the new key.Load default key
  3. ‘Yes’ loads the default keys. Once done, save the configuration and restart to have secure boot enabled.
  4. No’ lets you load the backed up keys.
    1. Select the USB drive that has the backup files.Select the USB to restore from
    2. Select the right file to restore (In this case – PK)Select the correct file
    3. Confirm that it is a ‘UEFI Secure Variable‘ type.Select the key file type to restore
    4. Confirm that you want to update the PK file.Confirm that you want to set the new key
    5. Save and restart. ‘Secure Boot’ should be enabled now.

That’s it. Enabling or disabling secure boot can appear to be a complicated process, but it is quite straightforward once you know the steps.

(Article updated on August 14, 2019)

  • Mustafa Kartal says:

    it’s working perfect thank u very much

  • enantiomer2000 says:

    Why would you want to re-enable secure boot afterwards?

    • Keeping it disabled is only useful if you need to have an option of booting any other OS. If that is not the case, it is safer to enable it as it offers protection against rootkits and other malware.

      I added the re-enabling steps here as someone may need them as well.

      • Santiago Andrea Hollmichel says:

        Hello Shishir! I need your help on this… I have built a new rig with an asus Impact VIII. And I did the big mistake on the first boot using a ssd with a windows from my previous rig installed(win10 64bit) it booted but then crashed to a blue screen and I tried to do a clean install of a64bit version of any windows and they start the initialization boot they give me a bsod on the windows logo… and that’s when windows checks all the secure boot keys…
        as I can run any version of a 32bit OS since the OEM and signatures are different from 64bit OS

        So I need to know where Can I get new secure boot keys as mine are either corrupted or locked by windows antimalware and rootkit protection. I have tried loading default keys but problem still comes…

        My expertise on windows keys is not much but please I would be very thankful for your input since microsoft and asus support is kinda dull on the subject at hand.
        Thank you in advance

        • Hello, Santiago. That’s quite a pickle you are in.

          Just to confirm that I understand you correctly – you have tried to load the default keys instead of the possibly corrupt ones, but you still run into the BSOD? Also, I suppose you cleared the keys before loading the default ones. Did you try to just disable secure boot?

          I will have to see if there is any specific solution to this problem. Are the questions here any help? > https://technet.microsoft.com/en-us/library/hh824987.aspx

          I don’t believe you can get new secure boot keys just like that. It falls in the manufacturer’s domain.

          • Santiago Andrea Hollmichel says:

            Hmm yeah I have tried removing the keys either under secure boot or other os the problem is all over like is stalking me… I have tried also to disable the pk and leave the other 3. have cleared all and installed from mobo defaults. the bios has been flashed 2 times with no interruptions in that process. In this new mobo the disable secure boot feature is greyed out. The only setting is either windows Wefi or other Os.

            I’m waiting for Asus to reply my mail regarding it…. they take ages and for computer components is the only way of contacting them T_T

  • I think BIOS won’t read my USB. What can I do?

  • After doing a windows 7 update, I had a secure boot issue (first screenshot). After doing some research on the internet, I found out you need to go to BIOS settings and disabled secure boot. However, on my ASUS motherboard, disabled was greyed out, so the only way to disable secure boot seemed to be deleting the secure boot keys, if I remember well….
    What do I need to do to re enable secure boot? Just install the default secure boot keys (second screenshot)? If so, will it keep my computer the way it was before, or will it delete everything and I will lose all content?
    Thanks for your help, this is a great website.

    • Yes, you can enable secure boot by installing the default keys. I did not face this issue and did not have any data loss when restoring keys. I don’t think you need to worry about that.
      To be on the safe side, keep secure boot disabled, login and backup data first. Then you can always go back and enable it.

      • Thanks, I will try and report back. Thank you.

        • I tried to install the default keys, but i got the violation message again….so I deleted the secure keys again.
          Just wondering what setting CSM must be on?

          • I forgot to say that when the violation message came on, when I pressed OK, it gave me an error message like “could not load the operating system” instead lf taking me to the motherboard screen.

  • Morgan Hoel says:

    Same as Fred, I got that secure boot violation just last night! At first I was assuming it was cause of some utility update that I had did the day before I got the error! But I’m assuming now that it could have been cause of the latest Windows updates that I had just downloaded a couple of days ago (I’m on Windows 7 pro) I have already disable secure boot by deleting the secure boot keys, and got Windows back up. My question is, after reading this guide, should I have saved the keys on a usb drive 1st? Or am I okay to restore all the default keys?

    • This seems to be a pattern – some Windows 7 update causing Secure Boot Violation. Thanks for confirming that you can disable secure boot by deleting the keys and then boot Windows.

      About your question – Yes, you can restore the default keys. I had doubts about ‘Load Default Keys’ option (call me paranoid) and thought it’s best to have external backup on the USB just in case. It works fine, though. 😀

  • Stephane Evoy says:

    I run Windows 7 and my computer just gave me a Secure Boot Violation on start up. Can’t say what prompted it. Perhaps a Windows update ? Anyway for what it’s worth I was able to disable secure boot using this guide . Thanks !

  • Catherine Liu says:

    Hiii! I seem to be able to everything u said, however when i tried saving the keys to my USB, there was a pop up that said “error while writing to file, dbx”
    Can I just delete the key and install default keys later??
    thank you so much for the help! 🙂

    • Catherine Liu says:

      This is a picture of the pop up

      • use disk on key. not external HD. its solve the problem for me.

  • LegendaryBowman says:

    I did everything in your guide, but when I save changes and restart the PK keys are restored and I have Secure Boot enabled again. I have the Asus Z170-A motherboard.

    • Mattias has a possible, simple to try solution above.

  • Mattias Svensson says:

    Appreciate this. 🙂 I was going crazy trying to boot Ubuntu with nvidia graphics and got stuck on secure boot.

  • Mattias Svensson says:

    LegendaryBowman, It didnt work for me the first time, I did the same procedure a second time and then when I rebooted secure boot was disabled. Not sure if that will work for you though. thought I could mention.

    Catherine Liu, Try to convert the usb to FAT, I also got problems with my usb when I was running ext4…

    • Mattias, thanks for sharing the info here. Even if it doesn’t work for LegendaryBowman, it might be useful for others. If possible, can you tell us which motherboard do you have?

  • IniciarSesión says:

    What happens if I deleted those PK keys, but my pendrive is faulty and can’t restore them? Shall I do a factory reset of the motherboard?

  • Thank you, Shishir for this helpful post. But I experienced the same problem as that of Catherine Liu and was not able to save the keys to a usb. I was afraid of messing with the stuff and did not dare ‘clearing’ any keys. Left it as it was.

  • Alex Rodriguez says:

    In Windows 10 you go to the UEFI settings within Windows

    Navigate to settings. …
    Select Update & security.
    Select Recovery from the left
    menu.
    Click Restart Now under
    Advanced startup. …
    Click Troubleshoot.
    Click Advanced options.
    Select UEFI Firmware
    Settings.
    Click Restart.

  • My asus have problem i dont know How to do anty can hjelp med plz asus vivo mini uefi bios utility advanced mode

  • Hi There is no secure boot option on mine

  • Many thanks Shishir for this guide! It was of really great help.

    I had to run the disable procedure two times in a row for it to take effect, as per suggestion of Mattias Svensson (thanks Mattias!) in a comment. The second time it took effect and Secure Boot was disabled from a Z170-A motherboard.

    • Good to know that Mattias’ comment helped, and that you got it done! Cheers.

  • Thanks a lot, you save my day

  • Zero Eternity says:

    You sir are a hero! I spent 3 hours on numerous websites and many reboots before I found this guide which worked. Thank you for creating this how-to guide.

    • Thank you for the kind words!

      I am glad it helped. 🙂

  • Jack Hansen says:

    Im having an issue where after i delete the PK file, when i go to save and exit/restart, it says no changes have been made. Not sure what to do next.