Windows Security

Secure Boot and TPM requirements

Practical Windows guide: secure Boot and TPM requirements without the usual guesswork.

10 min read Beginner Updated 9 Jun 2026
Windows library Start the guide

Step-by-step guide

Work through each section in order. Stop when your issue is resolved — you do not need every step for every situation.

What you will achieve

Verify Secure Boot and TPM 2.0 status for Windows 11 compatibility, and enable them in firmware if disabled.

1) Check TPM in Windows

  1. Press Win + R, type tpm.msc, press Enter.
  2. Status should show The TPM is ready for use and specification 2.0.
  3. Alternatively: Settings → Privacy & security → Windows Security → Device security → Security processor details.

2) Check Secure Boot

  1. Run msinfo32Secure Boot State should read On.
  2. Or PowerShell: Confirm-SecureBootUEFI returns True on UEFI systems with Secure Boot enabled.

3) Enable in firmware if off

  1. Reboot into UEFI setup (Del, F2, or vendor key).
  2. Enable TPM (may appear as PTT on Intel, fTPM on AMD, or Security Device).
  3. Enable Secure Boot — mode Standard/Windows UEFI mode on most consumer PCs.
  4. Save and exit — Windows may require BitLocker recovery key if it was enabled before toggling Secure Boot.

4) PC Health Check and upgrade path

  1. Microsoft's PC Health Check app reports TPM and Secure Boot readiness for Windows 11.
  2. Windows 10 PCs without TPM 2.0 cannot officially upgrade to Windows 11 — plan hardware replacement or stay on Windows 10 until EOL.

5) Clear TPM if corrupted

  1. Firmware: clear TPM/security chip before OS install on refurbished PCs with old corporate TPM state.
  2. Windows: Device security → Security processor troubleshooting → Clear TPM — loses BitLocker keys if not backed up.

6) fTPM vs discrete TPM

  1. Most consumer PCs use firmware TPM (PTT/fTPM) — adequate for Windows 11. Discrete TPM modules are common on enterprise boards.

7) Upgrade TPM 1.2 to 2.0

  1. Some business PCs need firmware TPM module purchase and physical install — consumer boards use fTPM in BIOS.

8) Virtual machines

  1. Hyper-V and VMware can expose virtual TPM 2.0 — enable in VM settings before Windows 11 install inside VM.
  2. Secure Boot template “Microsoft Windows” in Hyper-V generation 2 VMs satisfies installer checks.

Verification checklist

Screenshot msinfo32 BIOS Mode and Secure Boot State for asset inventory. Store TPM manufacturer version from tpm.msc for warranty support calls.

  1. Reboot once after changes that affect services, drivers, or firmware.
  2. Confirm the original problem is resolved under normal daily use, not only immediately after the fix.
  3. Note date, Windows version (Settings → System → About), and what changed in your personal runbook for next time.

Quick reference paths

  • tpm.msc
  • msinfo32
  • Confirm-SecureBootUEFI
  • Admin tools: press Win + X for Terminal (Admin), Device Manager, and Computer Management.

Related guides

boot secure tpm windows

Related guides

Continue with these next if you are building a fuller setup or troubleshooting path.

Security
Windows Defender exclusions (when safe)
Practical Windows guide: windows Defender exclusions (when safe) without the usual guesswork.
Read guide
Security
Local admin vs standard user accounts
Practical Windows guide: local admin vs standard user accounts without the usual guesswork.
Read guide