How to Enable TPM 2.0 and Secure Boot for Windows 11

The Problem

Setup or PC Health Check says the machine does not meet Windows 11 requirements—usually TPM 2.0 or Secure Boot disabled in firmware. Many boards support both; they ship off on custom builds or after a BIOS reset.

Check What Windows Sees

• Win + R → tpm.msc → need Specification version 2.0 and ready for use.
• Win + R → msinfo32 → Secure Boot State On, BIOS Mode UEFI.

Enable in BIOS

TPM (names vary)

Reboot → Del / F2 / F10 (brand-dependent) → enable TPM, Intel PTT, or AMD fTPM → save (F10). ASUS often hides it under Advanced → AMD fTPM or Intel PTT.

Very old hardware has no TPM 2.0. Some boards accept a discrete TPM module on a header—only if the manual lists support.

Secure Boot

Boot or Security → Secure Boot → Enabled. Set OS Type to Windows UEFI on boards that ask.

Legacy install on MBR

Windows 11 wants UEFI + GPT for clean installs. Back up first. Eligible systems can convert:

mbr2gpt /validate
mbr2gpt /convert

Run from an elevated prompt only after reading Microsoft's notes. Otherwise clean-install with GPT partitions.

After BIOS Changes

Run PC Health Check or Settings → Windows Update again. In Windows Security → Device security, confirm the security processor and Secure Boot show on.

Laptops

Corporate fleets sometimes ship with TPM off for imaging. Consumer models usually have PTT enabled—if tpm.msc is empty, a BIOS update from the OEM is worth trying before assuming the chip is dead.

Registry "bypass" tricks exist for unsupported PCs. We do not recommend them for daily use—you lose security guarantees and may get blocked from future updates.