New security baseline

How to enable TPM and Secure Boot in BIOS for Windows 11

Windows 11 requires TPM 2.0 and Secure Boot enabled to install, and here are the steps to check and enable the security features on your PC.

Windows 11 TPM 2.0 and Secure Boot enabled

If you have a computer, you plan to upgrade to Windows 11. You want to check and enable TPM 2.0 and Secure Boot in the BIOS (UEFI) of your computer’s motherboard (from Asus, Dell, MSI, GigaByte, etc.) as part of the upgrade preparation process.

On Windows 11, one of the most significant changes is the requirement for Trusted Platform Module (TPM) version 2.0 and Secure Boot. According to Microsoft, TPM 2.0 and Secure Boot are needed to provide a better security environment and prevent (or at least minimize) sophisticated and threats like those against hardware and firmware, common malware, ransomware, and other attacks.

TPM is a piece of hardware, usually (but not always) integrated into the motherboard that offers a secure environment to store and protect the encryption keys when encrypting the hard drive using features like BitLocker. On the other hand, Secure Boot is a module that ensures that computer boots only using the software that the manufacturer trusts.

In this guide, you will learn the steps to check and enable TPM 2.0 and Secure Boot to install Windows 11. (See also the steps to enable these two security features on VMware Workstation and Hyper-V to run the new OS on a virtual machine.)

Check if TPM 2.0 is present on Windows 10

To determine if TPM is enabled on the computer, use these steps:

  1. Open Start on Windows 10.

  2. Search for tpm.msc and click the top result to open the Trusted Platform Module (TPM) Management tool.

  3. In the Status and TPM Manufacturer Information to confirm TPM is present and version.

    Trusted Platform Module info

If the device includes a TPM chip, then you’ll see the hardware information and its status. Otherwise, if it reads “Compatible TPM cannot be found,” then the chip is disabled on the UEFI, or your computer doesn’t have a compatible Trusted Platform Module.

Enable TPM 2.0 in BIOS for Windows 11

To enable TPM 2.0 in the BIOS to fix the Windows 11 installation, use these steps:

  1. Open Settings.

  2. Click on Update & Security.

  3. Click on Recovery.

  4. Under the “Advanced startup” section, click the Restart now button.

    Advanced startup restart option

  5. Click on Troubleshoot.

    Troubleshoot

  6. Click on Advanced options.

  7. Click the UEFI Firmware settings option.

    UEFI Firmware Settings

  8. Click the Restart button.

  9. Click the advanced, security, or boot settings page, depending on the motherboard.

  10. Select the TPM 2.0 option and choose the Enabled option.

    Enable TPM 2.0 on UEFI

If the motherboard doesn’t have a TPM chip, and you are running an AMD processor, the module is likely built into the processor, and the option will be available as “fTPM” (firmware-based TPM 2.0) or “AMD fTPM switch.” If the device is an Intel-based system, TPM 2.0 will be available as Platform Trust Technology (PTT).

If the computer does not have a TPM option, and this is a custom build, you may be able to purchase a module to add the support. However, make sure to consult the motherboard’s manufacturer website to confirm that the support exists.

After you complete the steps, the Windows 11 check should pass, allowing you to upgrade the computer to the new OS.

Check if Secure Boot is present on Windows 10

To determine whether Secure Boot is enabled on the computer, use these steps:

  1. Open Start.

  2. Search for System Information and click the top result to open the app.

  3. Click on System Summary on the left pane.

  4. Check the “Secure Boot State” information and confirm the feature is set to On. If it’s not, you need to enable the option manually.

    System Information Secure Boot info

Once you complete the steps, if the security feature is enabled, you can continue installing Windows 11. Otherwise, you need to follow the steps to enable it inside the UEFI firmware.

Enable Secure Boot in BIOS for Windows 11

If your computer is using the legacy BIOS, you need first need to convert the MBR drive to GPT and then switch to UEFI mode and enable Secure Boot. Otherwise, if you enable the newer firmware, the computer will no longer boot. If you are trying to perform a clean installation, you can skip the convention, but if you are trying to upgrade from the Windows 10 desktop, this is a requirement.

To enable Secure Boot in the BIOS firmware, use these steps:

  1. Open Settings.

  2. Click on Update & Security.

  3. Click on Recovery.

  4. Under the “Advanced startup” section, click the Restart now button.

    Advanced startup restart option

  5. Click on Troubleshoot.

    Troubleshoot

  6. Click on Advanced options.

  7. Click the UEFI Firmware settings option.

    UEFI Firmware Settings

  8. Click the Restart button.

  9. Click the advanced, security, or boot settings page, depending on the motherboard.

  10. Select the “Secure Boot” option and choose the Enabled option.

Almost all devices featuring UEFI firmware will include Secure Boot, but if this is not the case, you will need to upgrade the system or consider getting a new computer that meets the Windows 11 requirements.

After you complete the steps, the computer should pass the hardware verification process to proceed with the in-place upgrade or clean install of Windows 11.