How to Enable Secure Boot on Windows 11 with a Z690 Aero G Motherboard
Enabling Secure Boot on a Gigabyte Z690 Aero G motherboard is one of the most common steps users take when upgrading to Windows 11 — or when their PC health check flags the feature as disabled. The process is straightforward once you understand what Secure Boot actually does, where the setting lives in your UEFI, and what else on your system might need to change first.
What Secure Boot Actually Does
Secure Boot is a UEFI firmware security standard that verifies the digital signatures of bootloaders and OS files before your system hands control to them. If something unsigned or tampered with tries to load at startup — malware, unauthorized bootloaders, corrupted files — Secure Boot blocks it.
Windows 11 lists Secure Boot as a hard requirement, alongside TPM 2.0. Without both enabled, the OS installer will refuse to proceed on an unsupported path, and ongoing Windows Update compatibility can be affected. It doesn't improve everyday performance, but it forms a meaningful layer of low-level protection.
What You Need Before You Start 🔒
Before diving into UEFI settings, a few things are worth confirming:
- Your drive is using GPT partition style, not MBR. Secure Boot requires UEFI mode, which requires GPT. If your system drive is still MBR, enabling Secure Boot may prevent Windows from booting entirely. You can check this in Disk Management — right-click your drive, select Properties, then Volumes.
- Your BIOS is up to date. Gigabyte has released multiple firmware updates for Z690 boards. Newer versions improve Secure Boot and TPM compatibility. Check Gigabyte's support page for the Z690 Aero G and compare the version listed there against what your UEFI shows.
- TPM 2.0 is enabled. Windows 11 needs both features active. On Z690 boards, this is typically found under Settings > Miscellaneous in the UEFI, labeled Intel Platform Trust Technology (PTT) — which is Intel's firmware-based TPM implementation.
Navigating the Z690 Aero G UEFI
Power on or restart your system and press Delete repeatedly to enter the UEFI. The Z690 Aero G boots into Gigabyte's Easy Mode by default — a graphical overview screen.
To access Secure Boot settings, you need to switch to Advanced Mode. Press F2 or click the Advanced Mode option in the top-right corner of the Easy Mode screen.
Finding the Secure Boot Setting
Once in Advanced Mode:
- Navigate to the BIOS tab (not Settings, not Tweaker — specifically BIOS).
- Look for Windows 10/11 Features — this dropdown controls the OS compatibility mode. Set it to Windows 10/11 if it isn't already.
- Below that, find CSM Support — this needs to be Disabled. CSM (Compatibility Support Module) enables legacy BIOS mode, which is incompatible with Secure Boot. Disabling it is often the step people miss.
- Once CSM is off, the Secure Boot option will become available (it's typically grayed out while CSM is enabled).
- Set Secure Boot to Enabled.
Secure Boot Mode: Standard vs. Custom
After enabling Secure Boot, you'll see a Secure Boot Mode option with two settings:
| Mode | What It Does |
|---|---|
| Standard | Uses Microsoft's default key database — works for most users running standard Windows installs |
| Custom | Lets you manually manage keys — used for Linux dual-boot, custom bootloaders, or enterprise environments |
For a standard Windows 11 installation, Standard mode is the correct choice. Custom mode is only relevant if you're running a non-Microsoft bootloader or need to enroll your own keys.
After Saving: What to Watch For ⚠️
Press F10 to save and exit. Your system will reboot. If everything was configured correctly — GPT drive, UEFI boot mode, no conflicting legacy devices — Windows should load normally with Secure Boot active.
You can confirm it worked by opening System Information (search msinfo32 in the Start menu) and checking the Secure Boot State line. It should read On.
If the system fails to boot after enabling Secure Boot, the most common cause is an MBR drive or a bootloader that wasn't signed properly. Re-entering UEFI and temporarily disabling Secure Boot will restore access so you can investigate.
Variables That Affect How This Goes
The steps above work cleanly for a fresh Windows 11 install on a GPT drive with no dual-boot configuration. But the actual experience varies depending on several factors:
- Whether you upgraded from Windows 10 — some upgrade paths leave behind MBR partitioning or legacy boot entries that complicate Secure Boot enablement
- Whether you run Linux alongside Windows — most major Linux distributions support Secure Boot via Microsoft-signed shims, but this requires additional setup and potentially Custom mode
- Whether you use a discrete GPU with a custom VBIOS — certain modified GPU firmware can conflict with Secure Boot in some configurations
- Your current BIOS version — early Z690 firmware had known quirks around Secure Boot and TPM interaction that later updates addressed
- Whether PCIe devices or older add-in cards are present — some older expansion cards rely on legacy option ROMs that don't function with CSM disabled
Each of those scenarios leads to a meaningfully different path through the process — and the right configuration ultimately depends on what your specific build includes and how it's currently set up.