How to enable TPM and Secure Boot in BIOS for Windows 11

Windows 11 requires TPM 2.0 and Secure Boot enabled to install, and here are the steps to enable the security features on your computer.

Avatar for Mauro Huc
@pureinfotech
Pureinfotech Logo
Windows 11 TPM 2.0 and Secure Boot enabled

If you plan to upgrade to Windows 11, you must first check and enable TPM 2.0 and Secure Boot in the BIOS (UEFI) of your computer’s motherboard (from Asus, Dell, MSI, GigaByte, etc.) as part of the preparation.

On Windows 11, one of the most significant changes is the requirement for Trusted Platform Module (TPM) version 2.0 and Secure Boot. According to Microsoft, TPM 2.0 and Secure Boot are needed to provide a better security environment and prevent (or at least minimize) sophisticated attacks, common malware, ransomware, and other threats.

TPM is a piece of hardware, usually (but not always) integrated into the motherboard, which offers a secure environment to store and protect the encryption keys when encrypting the hard drive using features like BitLocker. On the other hand, Secure Boot is a module that ensures that the device boots only using the software that the manufacturer trusts.

This guide will teach you the steps to check and enable TPM 2.0 and Secure Boot to install Windows 11. (See also the steps to enable these two security features on VMware Workstation and Hyper-V to run the new OS on a virtual machine.)

Check if TPM 2.0 is present for Windows 11

To determine if TPM is enabled for Windows 11, use these steps:

  1. Open Start.

  2. Search for tpm.msc and click the top result to open the “Trusted Platform Module (TPM) Management” tool.

  3. In the “Status” and “TPM Manufacturer Information” sections, confirm TPM is present and version.

    Trusted Platform Module info

If the computer includes a TPM chip, you’ll see the hardware information and its status. Otherwise, if it reads “Compatible TPM cannot be found,” the chip is disabled on the UEFI, or the device doesn’t have a compatible Trusted Platform Module.

Enable TPM 2.0 in BIOS for Windows 11

To enable TPM 2.0 in the BIOS to fix the Windows 11 installation, use these steps:

  1. Open Settings.

  2. Click on Update & Security.

  3. Click on Recovery.

  4. Under the “Advanced startup” section, click the Restart now button.

    Advanced startup restart option

  5. Click on Troubleshoot.

    Troubleshoot

  6. Click on Advanced options.

  7. Click the “UEFI Firmware settings” option.

    UEFI Firmware Settings

  8. Click the Restart button.

  9. Click the advanced, security, or boot settings page, depending on the motherboard.

  10. Select the TPM 2.0 option and choose the Enabled option.

    Enable TPM 2.0 on UEFI

If the motherboard doesn’t have a TPM chip and you are running an AMD processor, the module it’s may be built into the processor, and the option will appear as “fTPM” (firmware-based TPM 2.0) or “AMD fTPM switch.” If the device is an Intel-based system, TPM 2.0 will be available as Platform Trust Technology (PTT).

If the computer does not have a TPM option and this is a custom build, you may be able to purchase a module to add the support. However, you want to consult the motherboard’s manufacturer’s website to confirm that the support exists.

After you complete the steps, the Windows 11 check should pass, allowing you to upgrade the computer to the new OS.

Check if Secure Boot is present for Windows 11

To determine whether Secure Boot is enabled on the computer, use these steps:

  1. Open Start.

  2. Search for System Information and click the top result to open the app.

  3. Click on System Summary on the left pane.

  4. Check the “Secure Boot State” information and confirm the feature is turned “On.” (If not, you need to enable the option manually.)

    System Information Secure Boot info

Once you complete the steps, you can continue with the Windows 11 installation if the security feature is enabled. Otherwise, you must follow the steps to enable it inside the UEFI firmware.

Enable Secure Boot in BIOS for Windows 11

If your computer uses the legacy BIOS, you first need to convert the MBR drive to GPT, switch to UEFI mode, and enable Secure Boot. Otherwise, the computer will no longer boot if you enable the newer firmware. If you are trying to perform a clean installation, you can skip the conversion, but this is a requirement if you are trying to upgrade from the Windows 10 desktop.

To enable Secure Boot in the BIOS firmware, use these steps:

  1. Open Settings.

  2. Click on Update & Security.

  3. Click on Recovery.

  4. Under the “Advanced startup” section, click the Restart now button.

    Advanced startup restart option

  5. Click on Troubleshoot.

    Troubleshoot

  6. Click on Advanced options.

  7. Click the “UEFI Firmware settings” option.

    UEFI Firmware Settings

  8. Click the Restart button.

  9. Click the advanced, security, or boot settings page, depending on the motherboard.

  10. Select the “Secure Boot” option and choose the Enabled option.

Almost every device with UEFI firmware will include Secure Boot, but if this is not the case, you will need to upgrade the system or consider getting a new computer that meets the Windows 11 requirements.

After you complete the steps, the computer should pass the hardware verification process to proceed with the in-place upgrade or clean install of Windows 11.