You are not logged in.
- Topics: Active | Unanswered
#1 2025-08-18 12:26:41
- Rays42
- Member
- Registered: 2022-08-14
- Posts: 8
Can't enable SecureBoot on ASUS x670E
Hey there,
I'm having some trouble enabling SecureBoot on my desktop. I have done it successfully on a number of portables with various methods, but this time I'm at a loss. Maybe I just don't understand my UEFI, so perhaps someone with a similar board can help out. My goal is to enable SecureBoot with Windows Dual Boot.
My setup is:
Asus X670E ProArt
systemd-boot with UKI (kernel-install + ukify)
Windows Bootloader is copied to /boot and works
I have tried the assisted methods which usually work fine, now I'm at the fully manual setup because the assisted ones didn't work. I generated the keys and I enrolled them all manually and I tried with the commandline tool (which bootctl claims my mainboard supports), but after a reboot, bootctl claims that SecureBoot is disabled, and so is setup mode. My understanding was that after enrolling the keys, SecureBoot enforcement should be on?
SecureBoot Menu
SecureBoot Key Menu
systemd-boot
Last edited by Rays42 (2025-08-18 12:35:02)
Offline
#2 2025-08-18 17:45:24
- -thc
- Member
- Registered: 2017-03-15
- Posts: 1,066
Re: Can't enable SecureBoot on ASUS x670E
but after a reboot, bootctl claims that SecureBoot is disabled, and so is setup mode.
AFAIK the setup mode is only used for manipulating the PK key. After installing this key the custom/user mode should be active.
My understanding was that after enrolling the keys, SecureBoot enforcement should be on?
Not as I recall it - there should be a separate "enable" option.
What does Windoze have to say (msinfo32.exe)?
Offline
#3 2025-08-18 18:29:42
- Rays42
- Member
- Registered: 2022-08-14
- Posts: 8
Re: Can't enable SecureBoot on ASUS x670E
It agrees with bootctl, saying that it's off. I also checked everywhere incl. the bios manual and there isn't a separate enable toggle.
Offline
#4 2025-08-19 06:34:04
- StarWolf3000
- Member
- Registered: 2025-06-23
- Posts: 41
Re: Can't enable SecureBoot on ASUS x670E
Did you check the PDF manual?
https://www.asus.com/motherboards-compo … EATOR-WIFI
Click "Manual & Document", then "PRIME PROART TUF GAMING AMD AM5 Series BIOS Manual ( English Edition )"
Pages 82+
To boot with Windows, you need to change from "Other OS" to "Windows UEFI Mode"
Last edited by StarWolf3000 (2025-08-19 06:38:16)
Mainboard: GIGABYTE B550 AORUS ELITE V2 | CPU: Ryzen 7 5800X | RAM: 32 GB
GPU: GeForce RTX 4060 8 GB (580.119.02 proprietary) | Display: BenQ BL2405 1920x1080
Kernel: 6.18.1 stable | Boot Manager: GRUB2 | DE: KDE Plasma | Login Manager: SDDM | Compositor: KWin
Online
#5 2025-08-27 08:03:33
- Rays42
- Member
- Registered: 2022-08-14
- Posts: 8
Re: Can't enable SecureBoot on ASUS x670E
Did you check the PDF manual?
https://www.asus.com/motherboards-compo … EATOR-WIFI
Click "Manual & Document", then "PRIME PROART TUF GAMING AMD AM5 Series BIOS Manual ( English Edition )"
Pages 82+To boot with Windows, you need to change from "Other OS" to "Windows UEFI Mode"
Yes that was my original mistake - In fact I need to switch to Windows UEFI Mode for Secure Boot to be enabled at all. Other OS just means "off".
However I still failed enrolling multiple keys. I follow the various versions of the guide and I'm able to enroll my KEK + DB and then I try to enroll the microsoft add db/kek and it says permission denied whether or not the PK is already enrolled even if I'm still in setup mode. The firmware will only let me enroll one key. I tried to "append" explicitly, but same issue. When I try to do it manually via the firmware by enrolling my keys and then the microsoft keys via append, systemd-boot causes a violation/manipulation error and won't launch. However when I only enroll my own keys it all works, Arch boots and SB is enabled. I have tried every version and order of enrolling and rebooting and changing settings I could think of. I hope it's not a firmware bug. My current workaround is to just enroll the microsoft keys and only enable secure boot when I need to launch a specific application on Windows that requires it, but I'd really prefer it set up properly.
Maybe someone with a very similar board can try it?
Offline
#6 2025-08-27 08:49:48
- -thc
- Member
- Registered: 2017-03-15
- Posts: 1,066
Re: Can't enable SecureBoot on ASUS x670E
Maybe your mainboard's key management is restricted.
Whenever I need to change/add keys I use "KeyTool.efi" instead. Have you tried it?
It's part of the "efitools" package. Just copy it to your EFI partition, start the internal/mainboard UEFI shell (not edk2-shell) and launch it.
Offline
#7 2025-12-08 22:39:31
- Rusty_Shackleford
- Member
- Registered: 2025-12-08
- Posts: 1
Re: Can't enable SecureBoot on ASUS x670E
I was having the exact same issue, and I have a similar setup. I dual-boot Windows 11 and Arch Linux (separate drives) with an Asus TUF X670E Gaming motherboard, and I was trying to set up secure boot to work with Arch, but it seemed like the keys weren't actually enrolling in UEFI even though "sbctl enroll-keys" seemed successful. I disabled fast boot and created an Administrator password in the UEFI, then when I enrolled the keys after a reboot everything worked. I'm not sure what changed, but I hope this helps!
Offline
#8 2025-12-09 06:25:25
- cryptearth
- Member
- Registered: 2024-02-03
- Posts: 1,851
Re: Can't enable SecureBoot on ASUS x670E
if anything, then
created an Administrator password in the UEFI
is would likely did the trick
many uefi, mostly laptops, don't even show up any secureboot options unless a admin password is set in the first place
so - if OP still struggles - and haven't tried to set a password yet - this could maybe a lead
Offline