Enable Secure Boot, TPM and UEFI on ASUS ROG

Note about TPM

While a lot of motherboards support Secure Boot, most (even semi-modern) motherboards have a TPM or TPM 2.0 chip physically present.

If your motherboard does not have a dedicated TPM, it can come built-in to your CPU. This usually comes in a few names. Keep an eye out for:

• AMD fTPM or similar on AMD platforms.
• Intel IPT/PPT (Platform Trust Technology) on Intel systems.

If a dedicated chip is present it can show as dTPM or fTPM, for example. You may need to search a specific guide for your exact motherboard model if this generalized guide does not help you.

Note about UEFI mode

Enabling Secure Boot or TPM often requires UEFI mode to be enabled as well. While this is just a one-click toggle in the firmware settings, you do need your Windows configuration and drive to match BEFORE enabling this, or you may not be able to boot at all until this step is undone. Your drives need to be the newer GPT partition format.

Please view and verify UEFI mode can be enabled by checking the Convert MBR drives to GPT Guide.

Reboot into firmware settings

If you’re logged into Windows:

1. Open this guide on another device, as your system will only show firmware settings when you’re in the UEFI/BIOS settings screen.
2. Press Start or Windows and search for CMD. Open Command Prompt as Administrator.
3. Type: shutdown /r /fw and press Enter to reboot your system directly into your firmware settings.

If you’re on Bazzite or Steam OS on an Ally handheld:

1. In the Steam menu: Choose Power and then get ready to press Restart.
2. Hold the volume down button, press restart and confirm. Make sure to hold the power button as it restarts.
3. When the logo shows, while the volume down button is held: You will boot into the BIOS settings.

Alternatively:

1. Reboot your system as normal.
2. While booting: when you see your motherboard’s logo there is usually text below saying Press F2, F12, Delete or any other combination of buttons to enter Settings, BIOS or UEFI. Press that key while still on this screen.
3. You should now be in your BIOS/UEFI settings ready to adjust your configuration.

On my system I needed to press F2.

You should now be on your BIOS/UEFI Configuration Screen

Enable UEFI mode

This is displayed slightly differently - even from motherboard to motherboard from the same manufacturer.

1. Enter the Advanced Mode (you’ll see it at the bottom-right). Press the key, button, then click or tap Advanced Mode.
   
2. Use the arrow keys, click or tap the Boot tab at the top of your screen
   
3. Click on CSM (Compatibility Support Module), and inside set Launch CSM to Disabled.
4. Click Launch CSM and set it to Disabled. This will turn off Legacy mode, and enable UEFI mode.
5. Head back to the Boot tab. Select Secure Boot and next to OS Type select Windows UEFI Mode. Skip this step if you’re using Bazzite, Steam OS or anything else that is not Windows (There may be incompatabilities)
   
6. Note: If you just changed into UEFI mode, you may have a restart pending before more settings can be adjusted. Head to the Exit tab. Choose Save Changes and Exit.
   

You should now boot into Windows with UEFI mode enabled!

Enable Secure Boot

1. Head to the Security tab.
   
2. Click Secure Boot
   
3. Make sure Secure Boot Control is set to Enabled.

Enable TPM

1. Select the Advanced tab
   
2. Select and open either PCH-FW Configuration (Intel) or AMD fTPM configuration (AMD)
3. For Intel devices: Set PTT to Enabled
   
4. For AMD devices: Set Firmware TPM Switch to Enable Firmware TPM or Discrete TPM
   

Save and Exit

Head to the Exit tab. Choose Save Changes and Exit.

Your system should now reboot with UEFI, Secure Boot and TPM all enabled.