How to Enable Secure Boot and TPM 2.0 to install Windows 11

You need to enable Secure Boot and TPM 2.0 to install Windows 11. Otherwise the setup program will report that your hardware is not compatible. In this post, we will see how it can be done.

Advertisement

In late 2021, Microsoft plans to launch Windows 11 as a free update for all Windows 10 users. If you do not intend to buy a new computer running Windows 11 out of the box, you may want to double-check your PC specs and ensure it can run the latest OS from Microsoft. Even if you have a modern, powerful gaming or workstation computer, there is one thing you need to do before upgrading to Windows 11.

This PC Can't Run Windows 11

Windows 11 now lists TPM 2.0, Secure Boot, and UEFI mode as mandatory options to run it. While modern motherboards support all three of those, for some reason, manufacturers ship their products with TPM and Secure Boot disabled by default. Microsoft has made a new tool for checking Windows 11 compatibility. If Trusted Platform Module and Secure Boot are disabled on your machine, the compatibility check tool will tell your PC is not eligible to run Windows 11, even with the newest hardware.

How to Enable Secure Boot and TPM 2.0 to install Windows 11

Disclaimer: We cannot list all BIOS/UEFI versions in the article. Vendors equip their motherboards with different BIOS versions, UI, layouts, and capabilities. In this article, we provide you with general terminology and an idea of what to look for to enable Secure Boot and TMP 2.0 to install Windows 11. Also, we assume you know how to enter BIOS in Windows 10. If you do not know, do the following:

  1. Press Win + I to open Windows Settings.
  2. Go to Update and Security > Recovery.
  3. Find the Advanced Startup section and click Restart now.Windows 10 Advanced Startup Option In Recovery
  4. On the next Choose an option screen with a blue background, select Troubleshoot.Windows 10 Recovery Environment Troubleshoot
  5. Click Advanced Options.Recovery Environment Troubleshoot Advanced Options
  6. Click UEFI Firmware Settings.UEFI Firmware Settings
  7. Click Restart.

Tip: Check out the related tutorials:

The procedure above is universal for all modern computers with UEFI. You cannot install Windows 11 on a PC that does not support UEFI. Also, make sure BIOS runs in UEFI mode with CSM Mode disabled.

How to check whether my PC has TPM 2.0 and Secure Boot enabled

There is no need to enter UEFI/BIOS to check whether your computer has TPM 2.0 and Secure Boot enabled. Windows 10 has a built-in system information tool that shows you all the data you need.

  1. Press Win + R and enter the msinfo32 command.
  2. In a new window, click System Summary.
  3. Find the Secure Boot State line and make sure it is On.Windows 10 Check Secure Boot Enabled
  4. Next, expand Hardware Resources and click Memory.
  5. Find the Trusted Platform Module 2.0 State in the list of strings. Make sure its status is OK.Windows 10 Check TPM Enabled
  6. Alternatively, open Device Manager and expand the Security Devices
  7. If you have TPM 2.0 enabled, Device Manager will list Trusted Platform Module 2.0 in the Security Devices group.Device Manager Trusted Platform Module

Also, check out the post Find if your Windows 10 device has TPM (Trusted Platform Module).

Enable Secure Boot to install Windows 11

Enabling Secure Boot on Intel and AMD-based PCs is an identical procedure. You need to find a section that manages boot settings, such as boot priority, CSM Mode, boot override, etc. Find the Boot section or Boot Settings, and then look for the Secure Boot option. The Boot section is one of the most popular settings in BIOS, so manufacturers tend to place it on a visible spot in the BIOS's main menu.

Secure Boot option in BIOS

Make sure System mode set to User and Secure Boot is enabled.

Enable Secure Boot to install Windows 11

If there is no explicit Secure Boot on/off option, look for the OS Type toggle.

Enable Secure Boot To Install Windows 11 Step 1

Select Windows UEFI Mode.

Select Windows UEFI Mode

Restart your computer. It should boot as usual, without any hiccups or issues.

Enable TPM 2.0 on an Intel-based PC

To enable Trusted Platform Module 2.0 on an Intel-based PC, you need to find the Intel PTT option. It is not a popular setting, so look for it in the Advanced section or a similar list of additional options (Security may also do the trick.)

Enable PPT

Tip: Manufacturers nowadays offer two UEFI modes: simplified and advanced or "pro." Make sure you have "advanced" mode enabled with all the features and settings available.

In the above screenshot, you can see that Intel PTT sits in the PCH-FW Configuration section. If you cannot find Intel PTT TMP 2.0 option, refer to your motherboard's user manual or use the search option in BIOS/UEFI.

Enable TPM 2.0 on an AMD-based PC

The same idea goes for AMD. To enable TPM 2.0 on an AMD-based motherboard, find the AMD fTPM option. On a screenshot below, AMD fTPM sits in the Trusted Computing section on the Security tab.

Select Security Device Support - Enable and AMD fTPM - AMD CPU fTPM.

ADM Enable TPM 2.0 AMD FTPM 

That is it. Now your PC is eligible to upgrade to Windows 11 when it comes out later this year.

Support us

Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options:

Advertisment

16 thoughts on “How to Enable Secure Boot and TPM 2.0 to install Windows 11

  1. Michael

    Very useful post. Thanks, Taras!

    Reply
  2. junior

    Thank you

    Reply
  3. Dizmatic

    Thes part where after you enable secure boot is wrong. If you installed windows with it off you won’t boot into windows. Have to have secure boot enable before installing windows.

    Reply
    1. Taras Buria Post author

      Not true. If you installed Windows with UEFI, you can safely turn on/off Secure Boot without any problems. What you say happens when you switch from CMS to UEFI and/or IDE to AHCI, which mostly applies to older systems, as newer come with AHCI and UEFI on by default.

      Reply
    2. Shyam Reddy

      True!

      Reply
  4. George G Ortiz Mejias

    Thank you!

    However, when I made these changes, the PC Health Check to determine Win11 compatability still displays that my compuer cannot run Win11. It is an Intel(R) Core(TM) i7-6500U CPU @ 2.50GHz 2.60 GHz, with 8MB RAM, and I made sure that the UEFI, Secure Boot are enabled, and it has TPM 2.0. So why would the PC Health Check still say that it is not compatible with Win11

    Reply
    1. Barry Harvey

      I’m having the exact same problem.

      Reply
    2. Taras Buria Post author

      That is because Windows 11 officially supports Intel 8th gen and newer / AMD 2nd Ryzen and newer :/

      Reply
    3. Stan

      yeah.. the health check programs says my cpu (i7-6500) is not compatible. this really sucks,,

      Reply
  5. Parsa

    There is not UEFI settings option in my advenced menu and of course, there is not any advanced tab in my BIOS settings. Is it possible to enable this tab?

    Reply
    1. Taras Buria Post author

      I clearly cannot help you without any detailed info or context.

      Reply
  6. Alex

    So if I installed Windows 10 in Legacy mode, do I now need to reinstall a fresh copy and lose all my installed programs?

    Reply
    1. Sergey Tkachenko

      ehm. probably. Otherwise Windows 11 won’t install.

      Reply
  7. Anonymous

    Works great for Maximus X Code motherboard!

    Reply
  8. Christopher Kawanga

    What if i have a core i5, 8gb ram 2.60ghz running on Legacy BIOS mode with no support for secure boot. Is there an alternative i can use to install windows 11, even if it means loosing all the data on the machine?

    Reply
  9. Nathanial

    i have secure boot enabled in the bios but says it’s unsupported in sysinfo confused on what i’m missing or what to do now
    i’ve got a ryzen 5 3600 and a asus prime b450-a

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *