A Quick Way to Turn on TPM and Secure Boot for Windows 11 Installation

Are you thinking about making the switch to Windows 11? Be aware that there are specific requirements your system needs to meet, and we’re here to help you determine if your setup is compatible.

The first thing to look at is your processor. Windows 11 requires at least an AMD Ryzen 3000 series or Intel 7th Gen CPU. If your PC has an older processor, you won’t be able to install Windows 11 directly or upgrade from Windows 10. The second essential factor is the presence of Secure Boot and TPM capabilities on your computer. Without these, your system won’t clear the initial verification for Windows 11. But don’t worry if your PC lacks these features; they can often be activated through your computer’s BIOS/UEFI settings.

What is TPM and TMP 2.0?

tpm

The Trusted Platform Module (TPM) is a security feature integrated at the hardware level, designed to safeguard your data from unauthorized access and cyber threats. This module securely stores unique encryption keys, making it extremely challenging for hackers to extract them. In the event of a security breach, any data encrypted using these keys remains protected.

While Microsoft suggests TPM 2.0 as a part of its recommended system requirements for Windows 11, it’s still possible to upgrade to this operating system with an older version of TPM, specifically TPM 1.2, which is the baseline requirement.

What is Secure Boot?

secure boot details

In addition to TPM 2.0, Microsoft mandates the activation of Secure Boot for Windows 11. This security feature, which operates at the UEFI level, is designed to prevent unauthorized operating systems from starting up on your device. Essentially, Secure Boot acts as a guardian, blocking malicious software, including rootkits, bootkits, and other harmful code, from initiating before your main operating system does. This is crucial in ensuring the security and integrity of your system.

However, this security measure comes with certain drawbacks. One notable issue is its interference with dual-booting non-Windows operating systems, such as various Linux distributions. As a result, many users choose to deactivate Secure Boot to accommodate their dual-booting needs.

First Know How to Get into BIOS or UEFI Settings

enter asus bios settings

The Trusted Platform Module (TPM) and Secure Boot are features located within your computer’s UEFI settings. To enable these functionalities, you’ll need to access your system’s UEFI interface prior to upgrading to Windows 11. Although both settings are generally found in similar sections within the UEFI, for clarity and ease of understanding, we’ll outline the process in three distinct steps. This step-by-step approach will guide you through the process of locating and activating these crucial security features in your system’s UEFI settings.

Beyond the essential requirements of TPM 2.0 and Secure Boot, Windows 11 also has specific hardware prerequisites. Microsoft has decided to restrict the automatic update option for a significant number of devices. If your machine is running Windows 10 and is equipped with an AMD Ryzen 3000 series processor or newer, or an Intel 7th Gen CPU or later, you’re eligible for a direct upgrade to Windows 11.

For those with older hardware, there are alternatives, but they come with their own set of challenges. One option is to perform a clean installation of Windows 11, which is feasible on a broader range of hardware. However, it’s important to be aware that Microsoft has clearly stated its policy of not providing updates for Windows 11 installations on hardware that doesn’t meet its "official" criteria. So, if you proceed with the installation on such devices, you do so with the understanding that you might not receive future updates, which could affect both the functionality and security of the computer.

Accessing your system’s BIOS/UEFI can be done through a couple of different methods. The traditional approach involves pressing a specific key on your keyboard during the startup process. Common keys include Del, F2, F10, or Esc, depending on the manufacturer. However, if your computer has the fast boot feature enabled, this method might not be feasible as the boot process can be too quick to register the keypress.

If you find yourself booting straight into Windows 10 without being able to access the BIOS/UEFI using the keypress method, there’s an alternative route you can take:

  1. Go to the "Settings" application in Windows 10, then navigate to "Update & Security."
  2. From there, select the "Recovery" option and then choose "Restart now" under the "Advanced startup" section.
  3. Upon restarting, you’ll be greeted with a blue screen presenting several options. Here, select "Troubleshoot," then go to "Advanced Options," and finally choose "UEFI Firmware Settings."
  4. Click "Restart," and your computer should reboot directly into the BIOS/UEFI settings menu.

How to Turn on TPM or TPM 2.0 on a PC

enable tpm in bios asus

The placement of TPM settings within your BIOS can vary based on your motherboard’s brand and model. For instance, in an X570 MSI motherboard, the process to locate and enable TPM settings is demonstrated, but keep in mind that the pathway may differ in your specific motherboard.

It’s also important to note that TPM might be labeled differently depending on the CPU manufacturer of your system:

  1. For Intel CPUs, look for "Intel Platform Trust Technology (PTT)."
  2. For AMD CPUs, the equivalent is known as "AMD fTMP."

On an X570 MSI motherboard, for example, you would navigate to Settings > Security > Trusted Computing, and there you’ll find an option for "TPM Device Selection." In this menu, you can enable AMD fTMP.

After enabling TPM in the BIOS:

  1. Save your changes and exit the BIOS, which will restart your computer back into Windows 10.
  2. Once Windows has booted, you can verify that TPM is active and functioning correctly within the operating system.

To check your TPM status in Windows:

  1. Press the Windows key + R to open the Run dialog box.
  2. Type in tpm.msc and press Enter. This command will open the TPM management console.
  3. The console will display whether TPM is enabled on your computer, and if it is, it will also show the version of TPM that is in use.

How to Turn on Secure Boot on a PC

enable secure boot in bios asus

While you’re navigating your system’s BIOS/UEFI settings, it’s a good idea to also verify if Secure Boot is enabled. Just like with the TPM options, the location of Secure Boot in the BIOS/UEFI menu can vary based on your computer’s hardware and the motherboard manufacturer. However, you’ll typically find the Secure Boot option under the Boot tab.

To check and enable Secure Boot:

  1. Locate the Boot tab within your BIOS/UEFI settings. This tab is usually named "Boot" or something similar.
  2. Within the Boot tab, scroll through the options until you find Secure Boot.
  3. Ensure that the Secure Boot option is set to "Enabled."

Activating Secure Boot is a key step in enhancing the security of your system, especially if you’re planning to upgrade to or install Windows 11, as it’s one of the essential requirements for the operating system. After enabling Secure Boot, remember to save your changes before exiting the BIOS/UEFI settings. This will ensure that your adjustments are applied when you restart your computer back into Windows.

Additional Note for Secure Boot

It’s important to note that for Secure Boot to function properly, your system’s drives must be formatted with the GUID Partition Table (GPT) rather than the older Master Boot Record (MBR) format. GPT is a modern partition table that offers several advantages over MBR, including support for larger drives and more partitions.

If you encounter difficulties enabling Secure Boot, it could be due to your drive being formatted with MBR. In such cases, you may need to convert your drive from MBR to GPT. This conversion is essential for Secure Boot to operate, but it’s important to back up your data before proceeding, as the process can involve significant changes to your drive’s structure.

Additionally, it’s possible that your computer or its hardware components might be too outdated to support Secure Boot. This is more likely if you’re using an older system that predates the widespread adoption of UEFI and Secure Boot technology. If this is the case, upgrading your hardware may be necessary to use Secure Boot and meet the system requirements for Windows 11.

Run a System Check before Windows 11 Installation

Microsoft has developed the PC Health Check App to assist users in determining if their systems meet the hardware requirements for Windows 11. You can find this tool at the bottom of the relevant Microsoft webpage. Once downloaded and installed, this application will analyze your system and provide a straightforward indication of whether your computer is compatible with Windows 11.

For those seeking a more comprehensive analysis, there’s an open-source alternative called WhyNotWin11. This tool offers a more detailed examination of your system’s compatibility with Windows 11, potentially providing insights beyond what the Microsoft tool might reveal.

With the crucial settings of TPM and Secure Boot enabled, and assuming your hardware meets the other requirements, Microsoft should present you with the option to upgrade to Windows 11. To check if the upgrade is available:

  1. Go to "Settings" in your Windows 10.
  2. Navigate to "Update & Security."
  3. Select "Windows Update."

In the Windows Update section, look for the option to upgrade to Windows 11. If it’s available, you should see a prominent update button or notification prompting you to initiate the upgrade process. However, if your PC does not meet the Windows 11 requirements, then it is also to bypass them and use some hacks to install Windows 11 on an unsupported PC without any issue. Only a few unused features will be disabled in this way.