Windows 11 Logo Icon

How to Enable Secure Boot and TPM 2.0 to install Windows 11

You need to enable Secure Boot and TPM 2.0 to install Windows 11. Otherwise the setup program will report that your hardware is not compatible. In this post, we will see how it can be done.

In late 2021, Microsoft plans to launch Windows 11 as a free update for all Windows 10 users. If you do not intend to buy a new computer running Windows 11 out of the box, you may want to double-check your PC specs and ensure it can run the latest OS from Microsoft. Even if you have a modern, powerful gaming or workstation computer, there is one thing you need to do before upgrading to Windows 11.

Windows 11 now lists TPM 2.0, Secure Boot, and UEFI mode as mandatory options to run it. While modern motherboards support all three of those, for some reason, manufacturers ship their products with TPM and Secure Boot disabled by default. Microsoft has made a new tool for checking Windows 11 compatibility. If Trusted Platform Module and Secure Boot are disabled on your machine, the compatibility check tool will tell your PC is not eligible to run Windows 11, even with the newest hardware.

How to Enable Secure Boot and TPM 2.0 to install Windows 11

Disclaimer: We cannot list all BIOS/UEFI versions in the article. Vendors equip their motherboards with different BIOS versions, UI, layouts, and capabilities. In this article, we provide you with general terminology and an idea of what to look for to enable Secure Boot and TMP 2.0 to install Windows 11. Also, we assume you know how to enter BIOS in Windows 10. If you do not know, do the following:

  1. Press Win + I to open Windows Settings.
  2. Go to Update and Security > Recovery.
  3. Find the Advanced Startup section and click Restart now.
  4. On the next Choose an option screen with a blue background, select Troubleshoot.
  5. Click Advanced Options.
  6. Click UEFI Firmware Settings.
  7. Click Restart.

Tip: Check out the related tutorials:

The procedure above is universal for all modern computers with UEFI. You cannot install Windows 11 on a PC that does not support UEFI. Also, make sure BIOS runs in UEFI mode with CSM Mode disabled.

How to check whether my PC has TPM 2.0 and Secure Boot enabled

There is no need to enter UEFI/BIOS to check whether your computer has TPM 2.0 and Secure Boot enabled. Windows 10 has a built-in system information tool that shows you all the data you need.

  1. Press Win + R and enter the msinfo32 command.
  2. In a new window, click System Summary.
  3. Find the Secure Boot State line and make sure it is On.
  4. Next, expand Hardware Resources and click Memory.
  5. Find the Trusted Platform Module 2.0 State in the list of strings. Make sure its status is OK.
  6. Alternatively, open Device Manager and expand the Security Devices
  7. If you have TPM 2.0 enabled, Device Manager will list Trusted Platform Module 2.0 in the Security Devices group.

Also, check out the post Find if your Windows 10 device has TPM (Trusted Platform Module).

Enable Secure Boot to install Windows 11

Enabling Secure Boot on Intel and AMD-based PCs is an identical procedure. You need to find a section that manages boot settings, such as boot priority, CSM Mode, boot override, etc. Find the Boot section or Boot Settings, and then look for the Secure Boot option. The Boot section is one of the most popular settings in BIOS, so manufacturers tend to place it on a visible spot in the BIOS's main menu.

Make sure System mode set to User and Secure Boot is enabled.

If there is no explicit Secure Boot on/off option, look for the OS Type toggle.

Select Windows UEFI Mode.

Restart your computer. It should boot as usual, without any hiccups or issues.

Enable TPM 2.0 on an Intel-based PC

To enable Trusted Platform Module 2.0 on an Intel-based PC, you need to find the Intel PTT option. It is not a popular setting, so look for it in the Advanced section or a similar list of additional options (Security may also do the trick.)

Tip: Manufacturers nowadays offer two UEFI modes: simplified and advanced or "pro." Make sure you have "advanced" mode enabled with all the features and settings available.

In the above screenshot, you can see that Intel PTT sits in the PCH-FW Configuration section. If you cannot find Intel PTT TMP 2.0 option, refer to your motherboard's user manual or use the search option in BIOS/UEFI.

Enable TPM 2.0 on an AMD-based PC

The same idea goes for AMD. To enable TPM 2.0 on an AMD-based motherboard, find the AMD fTPM option. On a screenshot below, AMD fTPM sits in the Trusted Computing section on the Security tab.

Select Security Device Support - Enable and AMD fTPM - AMD CPU fTPM.

That is it. Now your PC is eligible to upgrade to Windows 11 when it comes out later this year.

Support us

Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options:

If you like this article, please share it using the buttons below. It won't take a lot from you, but it will help us grow. Thanks for your support!

18 thoughts on “How to Enable Secure Boot and TPM 2.0 to install Windows 11

  1. Dizmatic

    Thes part where after you enable secure boot is wrong. If you installed windows with it off you won’t boot into windows. Have to have secure boot enable before installing windows.

    Reply
    1. Taras Buria Post author

      Not true. If you installed Windows with UEFI, you can safely turn on/off Secure Boot without any problems. What you say happens when you switch from CMS to UEFI and/or IDE to AHCI, which mostly applies to older systems, as newer come with AHCI and UEFI on by default.

      Reply
  2. George G Ortiz Mejias

    Thank you!

    However, when I made these changes, the PC Health Check to determine Win11 compatability still displays that my compuer cannot run Win11. It is an Intel(R) Core(TM) i7-6500U CPU @ 2.50GHz 2.60 GHz, with 8MB RAM, and I made sure that the UEFI, Secure Boot are enabled, and it has TPM 2.0. So why would the PC Health Check still say that it is not compatible with Win11

    Reply
    1. Taras Buria Post author

      That is because Windows 11 officially supports Intel 8th gen and newer / AMD 2nd Ryzen and newer :/

      Reply
  3. Parsa

    There is not UEFI settings option in my advenced menu and of course, there is not any advanced tab in my BIOS settings. Is it possible to enable this tab?

    Reply
  4. Alex

    So if I installed Windows 10 in Legacy mode, do I now need to reinstall a fresh copy and lose all my installed programs?

    Reply
  5. Christopher Kawanga

    What if i have a core i5, 8gb ram 2.60ghz running on Legacy BIOS mode with no support for secure boot. Is there an alternative i can use to install windows 11, even if it means loosing all the data on the machine?

    Reply
  6. Nathanial

    i have secure boot enabled in the bios but says it’s unsupported in sysinfo confused on what i’m missing or what to do now
    i’ve got a ryzen 5 3600 and a asus prime b450-a

    Reply
    1. EP

      you need to look for an fTPM option in UEFI BIOS and switch that on, Nathanial
      having secure boot option enabled alone is not enough. must also either enable AMD fTPM in BIOS or install a discrete TPM module on your B450-A board.

      Reply
  7. HerleifrUlven

    I can’t install Windows 11 and here is what I know so far.

    What I have:

    Ryzen 7 3800x

    32GB DDR4 RAM running at 3900MHz

    RTX 2080 Super (12.0 DX)

    1 TB NVMe for mass storage

    ASUS Hero VIII Wifi Mobo

    WinVer: 21H1 (OB Built 19043.1266)

    I’m signed onto my Microsoft account on this machine to login

    fTPM enabled in BIOS and Secure Boot is ON (I know this because I check tpm.msc and it said “TPM is ready for use” AND System Info said Secure Boot was on)

    memory check in system info says TPM is “OK”

    When I go to Windows 11 update settings, I get an error right away saying “This PC doesn’t currently meet all the system requirements for Windows 11”

    When I run the PC Health Check, it wont scan my pc, “See Results” is greyed out. I click on the second option “Device specification” but that just takes me to a list of system requirements which from what I can tell, I’ve met, unless I’m overlooking something.

    Any advice would be appreciated. Thanks

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *