How to enable TPM and Secure Boot in BIOS for Windows 11

Windows 11 requires TPM 2.0 and Secure Boot enabled to install, and here are the steps to enable the security features on your computer.

TPM Management console
TPM Management console / Image: Mauro Huculak
  • To enable TPM and Secure Boot, open Settings > Update & Security > Recovery, click “Restart,” click “Troubleshoot,” select “Advanced options,” choose “UEFI Firmware settings,” and click “Restart.” Inside the firmware, turn on TPM and Secure Boot. 
  • If the motherboard doesn’t include a TPM chip, an AMD CPU may include this feature as an “fTPM” (firmware-based TPM 2.0) or “AMD fTPM switch” or as “Platform Trust Technology” (PTT) on an Intel-based system.

UPDATED 12/21/2023: If you plan to upgrade to Windows 11, you must first enable TPM 2.0 and Secure Boot in the BIOS (UEFI) of your computer’s motherboard (from Asus, Dell, MSI, Gigabyte, or from any manufacturer) as part of the preparation, and in this guide, I’ll outline the steps to complete this configuration.

On Windows 11, one of the most significant changes is the requirement for Trusted Platform Module (TPM) version 2.0. (Secure Boot is recommended but not strictly required.) According to Microsoft, TPM 2.0 and Secure Boot are needed to provide a better security environment and prevent (or at least minimize) sophisticated attacks, common malware, ransomware, and other threats.

TPM is a piece of hardware, usually (but not always) integrated into the motherboard, which offers a secure environment to store and protect the encryption keys when encrypting the hard drive using features like BitLocker. On the other hand, Secure Boot is a module that ensures that the device boots only use software that the manufacturer trusts.

In this guide, I will teach you the steps to check and enable TPM 2.0 and Secure Boot to install Windows 11. If you plan to set up the operating system on virtual machines, you will have to enable the features on VMware Workstation and Hyper-V.

Check if TPM 2.0 is present for Windows 11

To determine if TPM is enabled for Windows 11 (or 10), use these steps:

  1. Open Start.

  2. Search for tpm.msc and click the top result to open the “Trusted Platform Module (TPM) Management” app.

  3. In the “Status” and “TPM Manufacturer Information” sections, confirm TPM and its version are present.

    Trusted Platform Module Management console

If the computer includes a TPM chip, you’ll notice the hardware information and its status. Otherwise, if it reads “Compatible TPM cannot be found,” the chip is disabled on the UEFI, or the device doesn’t have a compatible Trusted Platform Module.

Enable TPM 2.0 in BIOS for Windows 11

To enable TPM 2.0 in the BIOS to install Windows 11, use these steps:

  1. Open Settings.

  2. Click on Update & Security.

  3. Click on Recovery.

  4. Click the Restart now button under the “Advanced startup” section.

    Advanced startup restart option

  5. Click on Troubleshoot.

  6. Click on Advanced options.

  7. Click the “UEFI Firmware settings” option.

    UEFI Firmware Settings

  8. Click the Restart button.

  9. Click the advanced, security, or boot settings page, depending on the motherboard.

  10. Select the TPM 2.0 option and choose the Enabled option.

    Enable TPM 2.0 on UEFI

If the motherboard doesn’t have a TPM chip, but you have an AMD-based system, the module may be built into the processor, and the option will appear as “fTPM” (firmware-based TPM 2.0) or “AMD fTPM switch.” If the device is an Intel-based system, TPM 2.0 will be available as Platform Trust Technology (PTT).

If the computer does not have a TPM option and this is a custom build, you may be able to purchase a module to add the support. However, you want to consult the manufacturer’s website to confirm the support exists.

After you complete the steps, the Windows 11 check installation should pass, allowing you to upgrade the computer to the new operating system.

Check if Secure Boot is present for Windows 11

To determine whether Secure Boot is enabled on the computer, use these steps:

  1. Open Start.

  2. Search for System Information and click the top result to open the app.

  3. Click on System Summary on the left pane.

  4. Check the “Secure Boot State” information and confirm the feature is turned “On.” (If not, you need to enable the option manually.)

    System Information Secure Boot info

Once you complete the steps, you can continue with the Windows 11 installation if the security feature is enabled. Otherwise, you must follow the steps below to enable it inside the UEFI firmware.

Enable Secure Boot in BIOS for Windows 11

If your computer uses the legacy BIOS, you must first convert the MBR drive to GPT, switch to UEFI mode, and enable Secure Boot. Otherwise, the computer will no longer boot if you enable the newer firmware. If you are trying to perform a clean installation, you can skip the conversion, but this is a requirement if you are trying to upgrade from the Windows 10 desktop.

To enable Secure Boot in the BIOS firmware, use these steps:

  1. Open Settings.

  2. Click on Update & Security.

  3. Click on Recovery.

  4. Under the “Advanced startup” section, click the Restart now button.

    Advanced startup restart option

  5. Click on Troubleshoot.

  6. Click on Advanced options.

  7. Click the “UEFI Firmware settings” option.

    UEFI Firmware Settings

  8. Click the Restart button.

  9. Click the advanced, security, or boot settings page, depending on the motherboard.

  10. Select the “Secure Boot” option and choose the Enabled option.

Almost every device with UEFI firmware will include Secure Boot, but if this is not the case, you will need to upgrade the system or consider getting a new computer that meets the Windows 11 requirements.

After you complete the steps, the computer should pass the hardware verification process to proceed with the in-place upgrade or clean install of Windows 11.

Update December 21, 2023: This guide has been updated to ensure accuracy and reflect changes.

About the author

Mauro Huculak is a Windows How-To Expert who started Pureinfotech in 2010 as an independent online publication. He has also been a Windows Central contributor for nearly a decade. Mauro has over 15 years of experience writing comprehensive guides and creating professional videos about Windows and software, including Android and Linux. Before becoming a technology writer, he was an IT administrator for seven years. In total, Mauro has over 21 years of combined experience in technology. Throughout his career, he achieved different professional certifications from Microsoft (MSCA), Cisco (CCNP), VMware (VCP), and CompTIA (A+ and Network+), and he has been recognized as a Microsoft MVP for many years. You can follow him on X (Twitter), YouTube, LinkedIn and About.me. Email him at [email protected].