UEFI: clearing secure boot keys?

I’ve been a bit ignorant to the benefits of UEFI, secure boot and CSM for a while and I’ve tried to correct that this holiday. I currently have a Win10 installation installed in MBR. Secure boot is enabled in my UEFI and CSM is enabled. Checking my secure boot status in msinfo32 it says my secure boot status is “unsupported” - presumably because I have installed Win10 in MBR and CSM is launching Windows via the “old method”. I think that is correct - please correct if not.

Although it’s already quick, I’ve been looking at ways to decrease POST and boot time. The best way seems to be to disable CSM and enable secure boot for UEFI only and install Win10 in UEFI mode. Am I right here?

My grey area comes down to the secure boot keys. I have read up on them but it goes over my head. I have installed a lot of different Windows / OS’s on this PC and I have keys already in my secure keys section. I have backed up these keys onto a USB stick first, but what happens if I delete all my keys?

I am ready to do a clean install of Windows 10 x64 in UEFI mode enabling all the latest mod cons. I want to clear out all my keys and just have whatever is supposed to be there for Win10. Is this what deleting all my keys will do or will it make one big mess?


i5 Haswell
Samsung 850 EVO


I am not sure, whether enabling the "Secure Boot" option will decrease the boot time.
All your questions should be answered by somebody, who knows more about the "Secure Boot" option than me.

SecureBoot and CSM are mutual exclusives, if you have CSM enabled, your SecureBoot is disabled despite being “Enabled” in BIOs Setup. SecureBoot can only worn in pure UEFI (non-CSM) mode.
The best way to decrease boot time is to switch to UEFI boot, disable CSM, enable FastBoot and disable SecureBoot, because it takes some time to check a signature of your bootloader, and it will be checked on every boot.
If you remove all SecureBoot keys, the SecureBoot will switch into so called “Setup Mode”, where you can add your own keys without having a private parts of older ones (that are only available to Microsoft and ASUS, in your case). AMI-based UEFIs have a “standard” keys in default map, so don’t worry about losing the keys - you can easily restore them from Security->SecureBoot Settings setup page.
What you need to do:
1. Disable CSM.
2. Enable FastBoot.
3. Enable (better protection from bootkits, a bit slower boot time) or disable (a bit faster boot time, the same security level you have now with CSM) SecureBoot.
4. Don’t touch the keys, they are fine by default.
5. Reinstall Windows in UEFI mode.

Thanks for your excellent reply.

If I follow your 1-5 steps and enable secure boot, could I disable it later to test how much time it is costing on boot up and then re-enable it again later?

Sure, why not. I don;t think you will see any visible difference, BTW, so you may leave SecureBoot enabled just for a bit of added security.

Thanks for your replies.

I will do this and let you know how it goes and if there is a difference. Unfortunately my main backup drive failed yesterday and although the data is secure it’s been causing me problems so I may not be able to reload now until next weekend so I just wanted you to know that I hadn’t forgotten.

What you need to do:
1. Disable CSM.
2. Enable FastBoot.
3. Enable SecureBoot.
4. Don’t touch the keys, they are fine by default.
5. Reinstall Windows in UEFI mode.

I did the above and my PC posts and boots to Win10 much quicker than it did before on Windows 7 with MBR/CSM. It does it in probably half the time which I think is mainly down to disabling CSM.

Win10 does take a lot longer to finish booting though than Win7. Win7 would take longer to boot but would complete booting sooner after hitting the desktop. By complete I mean completely load everything I have in taskbar. Win10 boots to desktop much faster but then takes a good 5+ seconds to load the apps into taskbar.