cancel
Showing results for 
Search instead for 
Did you mean: 

I need advice on CSM and Secure Boot settings

R5Eandme
Level 12
Hello,

I have read the forums and guides on installing Windows in UEFI mode but am still a bit confused about the ASUS BIOS settings for CSM. I am building a system around the R5E with Samsung 960 Pro NVMe M.2 boot drive, and am about to install Win 10 x64 Pro. I am exploring and learning the various settings in BIOS vers 3701. What I think I would like to do is install Windows in UEFI mode with GPT partition (no MBR), but with both CSM (Compatibility Support Module ) and Secure Boot disabled. I would then like to have the option of enabling Secure Boot in the near future. I understand that you can't have CSM and Secure Boot enabled at the same time because CSM gives the possibility of unsigned OptionROMs. I also understand that once you install Windows with CSM enabled, you can't go back and disable CSM later and therefore: no Secure Boot.

The problem is, when I disable CSM (this is pre-OS install) the options for "Boot Option Priorities" and "Boot Override" became grayed and unavailable. I can no longer see my non-boot storage drives (WD 4TB, and Samsung 850 Pro) or my DVD drives. That may be a problem for me because I would like the option of booting from a USB drive or from my Pioneer BD-RW (model BDR-209M) optical drive. On my current Win 7 system I have used booting from the Acronis True Image (Linux) DVD disk for performing reimaging of my hard drive from archived images after system problems, corrupted files, etc. The Acronis boot disk is a portable environment that also provides Windows PE which is useful to run diskpart and other utilities at the command prompt.

So if CSM is disabled, I don't see any way to get the system to boot from a DVD drive, only from the Samsung 960 Pro containing an EFI partition? Am I correct about this?Or is it possible with CSM disabled to boot from a USB drive or a DVD drive on this UEFI platform? I don't see how with "Boot Override" grayed out.

To be able to boot from USB or DVD, I could go with CSM enabled, but it precludes the benefits of Secure Boot as I understand.

Thank you in advance!
110,666 Views
12 REPLIES 12

Nate152
Moderator
Hi R5EandMe

I'm pretty sure windows 10 comes only comes on a usb drive.

You'll want to make sure the M.2 slot is set to PCIe x4.

I don't have an M.2 drive but installing windows 10 should be basically the same. I disable CSM and set Secure Boot to Other OS then set Boot Option 1 to the windows installation usb drive.

F10 and Enter to save and exit, upon rebooting you'll get an option screen, select windows 10 64-bit. Then I select custom (advanced) install, delete all the partitions and let windows create the partitions.

Be sure to disconnect any other drives before installing windows.

How does this work for you ?

Nate152 wrote:
Hi R5EandMe

I'm pretty sure windows 10 comes only comes on a usb drive.

You'll want to make sure the M.2 slot is set to PCIe x4.

I don't have an M.2 drive but installing windows 10 should be basically the same. I disable CSM and set Secure Boot to Other OS then set Boot Option 1 to the windows installation usb drive.

F10 and Enter to save and exit, upon rebooting you'll get an option screen, select windows 10 64-bit. Then I select custom (advanced) install, delete all the partitions and let windows create the partitions.

Be sure to disconnect any other drives before installing windows.

How does this work for you ?


Hi Nate 152, and thank you for the speedy reply. Is it just me or is CSM and Secure Boot insanely confusing?
My Win10 is a retail usb drive as you say. Also I have set the "Onboard Devices Configuration PCIEx8_4 and M.2" from [Auto] to [M.2]. With CSM enabled, I in fact do see the Samsung 960 Pro in the boot devices lists. With CSM disabled, I don't see anything, but as you suggest when I plug in the Windows install usb, I should see that and select it as the boot device, then Windows should find the Samsung 960 Pro. I am curious, after you go through this install procedure for Windows 10 can you see other boot devices such as DVD drives even with CSM disabled?

Nate152
Moderator
I'm pretty sure with CSM disabled the other drives don't show but they still work.

You can let CSM enabled, it will just add a few seconds to the boot time.

Nate152 wrote:
I'm pretty sure with CSM disabled the other drives don't show but they still work.

You can let CSM enabled, it will just add a few seconds to the boot time.


Thanks Nate152. I can enable CSM then will be able to boot from devices (DVD drive) other than the one that Windows was installed on. Not concerned with boot times. That would mean not having Secure Boot. In your opinion, how big a deal is it to go without Secure Boot these days, with rootkits and whatnot running around in the wild?

Nate152
Moderator
Well I only have two options for Secure Boot and they are Windows UEFI and Other OS. I have to have Secure Boot set to Other Os or I get a message saying unauthorized changes have been made to the OS.

Nate152 wrote:
Well I only have two options for Secure Boot and they are Windows UEFI and Other OS. I have to have Secure Boot set to Other Os or I get a message saying unauthorized changes have been made to the OS.


I read that selecting "Windows UEFI" turns secure boot on, while "Other OS" turns secure boot off (which apparently still allows a UEFI Windows installation, w/o secure boot). Maybe there are one or more drivers your OS is loading that don't have valid signatures, that seems to be a common problem. I read that the latest Samsung 960 Pro driver vers 2.2 for Win 10 does not have a valid signature for secure boot. What is up with that?? Anyway, I enjoyed the chat and thank you very much for your insights.

Nate152
Moderator

I figured out why in the pre-Windows installation environment and with CSM disabled that I could not see any of my storage devices in the “Boot Option Priorities” or “Boot Override” lists.

Back in the old days of Legacy BIOS booting, all storage devices showed up in boot lists where you could arrange their priorities and select one to boot from. Now with UEFI BIOS, only UEFI-bootable devices show up in those lists, unless you have enabled CSM. Disabling CSM is for UEFI-only booting, and the only devices that show up in boot lists are devices that contain \EFI\Boot\bootx64.efi in the root directory. That is the UEFI "boot loader". If I had installed Windows on the Samsung 960 Pro then \EFI\Boot\bootx64.efi would appear in the EFI (“System”) partition of the drive, and the boot list would show "windows Boot Manager" or “UEFI: Samsung 960 Pro” or something like that.

The DVD drives did not show up in the boot lists with CSM disabled because they did not contain any disks. If I insert the Acronis/WinPE rescue disk before booting into BIOS, then the DVD drive shows up as “UEFI: Pioneer BD-RW BDR-209M” because that disk contains the directory \EFI\Boot\bootx64.efi. Same for a Windows 10 Recovery thumb drive I made for a different computer, for booting into the WinRE environment. It shows up in the boot device list as “UEFI: SanDisk Ultra USB 3.0 Flash Drive” because it too contains \EFI\Boot\bootx64.efi as I’ve verified.

So with CSM disabled, the ASUS UEFI Bios will examine all HD, SSD, USB ports, and DVD drives, looking for UEFI bootable devices that contain \EFI\Boot\bootx64.efi. In contrast, if CSM is enabled then all devices show up whether or not they contain \EFI\Boot\bootx64.efi. With CSM enabled you will then see two versions for example “P3: Pioneer BD-RW BDR-209M” and “UEFI: Pioneer BD-RW BDR-209M”, giving you a choice of booting to the device with a Legacy BIOS boot or a UEFI boot. The Legacy boot will not use the \EFI\Boot\bootx64.efi boot application, but will instead use the application named bootmgr.

So I can in fact leave CSM disabled and install Windows, and if I ever need to boot from an Acronis rescue disk or a Windows Recovery thumb drive, I can either press "F2" or “DEL” and boot into bios and select the device from the “Boot Override” list, or spam the “F8” key during boot after the ROG logo appears, to bring up the “Please Select Boot Device” menu which will list all devices containing \EFI\Boot\bootx64.efi. If I ever need to boot from a non-UEFI compliant device that does not contain \EFI\Boot\bootx64.efi then I'd have to enable CSM first if possible (and probably have to disable Secure Boot). That is my understanding.

CSM IS ENABLED BY DEFAULT, so people who want a pure UEFI boot system will want to disable CSM before installing the OS.

Here are some good resources I found:
A Youtube video: “How to Fix Issue Booting to DVD/CD with New UEFI BIOS Boot Order” https://www.youtube.com/watch?v=y8Ml1IbVp-8 where he had an Acronis rescue disk that did not contain \EFI\Boot\bootx64.efi, and so he had to go into BIOS and enable CSM & disable Secure Boot in order to boot from it.
Also an old but excellent and still relevant discussion by Sushovon Sinha “UEFI Secure Boot in Windows 8.1” https://answers.microsoft.com/en-us/windows/forum/windows8_1-security/uefi-secure-boot-in-windows-81... which is full of good technical information.

R5Eandme wrote:
I figured out why in the pre-Windows installation environment and with CSM disabled that I could not see any of my storage devices in the “Boot Option Priorities” or “Boot Override” lists.

Back in the old days of Legacy BIOS booting, all storage devices showed up in boot lists where you could arrange their priorities and select one to boot from. Now with UEFI BIOS, only UEFI-bootable devices show up in those lists, unless you have enabled CSM. Disabling CSM is for UEFI-only booting, and the only devices that show up in boot lists are devices that contain \EFI\Boot\bootx64.efi in the root directory. That is the UEFI "boot loader". If I had installed Windows on the Samsung 960 Pro then \EFI\Boot\bootx64.efi would appear in the EFI (“System”) partition of the drive, and the boot list would show "windows Boot Manager" or “UEFI: Samsung 960 Pro” or something like that.

The DVD drives did not show up in the boot lists with CSM disabled because they did not contain any disks. If I insert the Acronis/WinPE rescue disk before booting into BIOS, then the DVD drive shows up as “UEFI: Pioneer BD-RW BDR-209M” because that disk contains the directory \EFI\Boot\bootx64.efi. Same for a Windows 10 Recovery thumb drive I made for a different computer, for booting into the WinRE environment. It shows up in the boot device list as “UEFI: SanDisk Ultra USB 3.0 Flash Drive” because it too contains \EFI\Boot\bootx64.efi as I’ve verified.

So with CSM disabled, the ASUS UEFI Bios will examine all HD, SSD, USB ports, and DVD drives, looking for UEFI bootable devices that contain \EFI\Boot\bootx64.efi. In contrast, if CSM is enabled then all devices show up whether or not they contain \EFI\Boot\bootx64.efi. With CSM enabled you will then see two versions for example “P3: Pioneer BD-RW BDR-209M” and “UEFI: Pioneer BD-RW BDR-209M”, giving you a choice of booting to the device with a Legacy BIOS boot or a UEFI boot. The Legacy boot will not use the \EFI\Boot\bootx64.efi boot application, but will instead use the application named bootmgr.

So I can in fact leave CSM disabled and install Windows, and if I ever need to boot from an Acronis rescue disk or a Windows Recovery thumb drive, I can either press "F2" or “DEL” and boot into bios and select the device from the “Boot Override” list, or spam the “F8” key during boot after the ROG logo appears, to bring up the “Please Select Boot Device” menu which will list all devices containing \EFI\Boot\bootx64.efi. If I ever need to boot from a non-UEFI compliant device that does not contain \EFI\Boot\bootx64.efi then I'd have to enable CSM first if possible (and probably have to disable Secure Boot). That is my understanding.

CSM IS ENABLED BY DEFAULT, so people who want a pure UEFI boot system will want to disable CSM before installing the OS.

Here are some good resources I found:
A Youtube video: “How to Fix Issue Booting to DVD/CD with New UEFI BIOS Boot Order” https://www.youtube.com/watch?v=y8Ml1IbVp-8 where he had an Acronis rescue disk that did not contain \EFI\Boot\bootx64.efi, and so he had to go into BIOS and enable CSM & disable Secure Boot in order to boot from it.
Also an old but excellent and still relevant discussion by Sushovon Sinha “UEFI Secure Boot in Windows 8.1” https://answers.microsoft.com/en-us/windows/forum/windows8_1-security/uefi-secure-boot-in-windows-81... which is full of good technical information.


Don't mean to resurrect an old thread but is there a difference between other OS and windows 10 selection?

Thanks