How to Enable Secure Boot and TPM 2.0 on Windows 11

What Causes This?

Secure Boot and TPM 2.0 are usually disabled in your PC’s UEFI/BIOS settings, even though the hardware supports them. In some cases, Windows is installed in Legacy BIOS mode instead of UEFI mode, which prevents Secure Boot from being turned on. Older motherboards may also label TPM differently, such as PTT on Intel systems or fTPM on AMD systems, making the setting harder to find.

Common Symptoms

• Windows 11 says your PC does not meet system requirements
• PC Health Check reports Secure Boot or TPM 2.0 is missing
• tpm.msc shows that TPM is not ready or cannot be found
• System Information shows Secure Boot State as Off
• Some security features in Windows Security are unavailable

How to Fix It Manually

1. Check whether TPM 2.0 and Secure Boot are currently enabled

   1. Press Windows + R, type tpm.msc, then press Enter.
   2. In the TPM Management window, check Status and Specification Version. You want to see 2.0.
   3. Next, press Windows + R, type msinfo32, then press Enter.
   4. In System Information, look for:
      • BIOS Mode — this should say UEFI
      • Secure Boot State — this should say On

2. Boot into your UEFI/BIOS settings

   1. Open Settings with Windows + I.
   2. Go to System > Recovery.
   3. Under Advanced startup, click Restart now.
   4. After restart, select Troubleshoot > Advanced options > UEFI Firmware Settings > Restart.

3. Enable TPM 2.0 in BIOS

   1. In the BIOS/UEFI menu, look for a tab such as Security, Advanced, or Trusted Computing.
   2. Find the TPM setting. It may be named:
      • TPM
      • Intel Platform Trust Technology (PTT)
      • AMD fTPM
   3. Change it to Enabled.
   4. Save the setting, but stay in BIOS if you still need to enable Secure Boot.

4. Enable Secure Boot

   1. In BIOS/UEFI, open the Boot, Security, or Authentication section.
   2. Set Boot Mode or OS Type to UEFI if needed.
   3. Find Secure Boot and set it to Enabled.
   4. If Secure Boot is grayed out, disable Legacy Boot or CSM (Compatibility Support Module) first.
   5. Save changes and exit BIOS.

5. If Secure Boot still will not enable, confirm your drive uses GPT

   1. Right-click Start and choose Disk Management.
   2. Right-click your system disk, select Properties, then open the Volumes tab.
   3. Check Partition style. If it says Master Boot Record (MBR), Secure Boot may not work until the disk is converted to GUID Partition Table (GPT).
   4. Advanced users can convert with Microsoft’s mbr2gpt tool, but back up important files first before making disk changes.

6. Verify the changes in Windows

   1. After rebooting, open tpm.msc again and confirm Specification Version 2.0 is shown.
   2. Open msinfo32 and confirm:
      • BIOS Mode: UEFI
      • Secure Boot State: On
   3. If both are enabled, your system should now be ready for Windows 11 security requirements.

Fix It Automatically with Kudu

If you do not want to dig through BIOS menus or manually verify every Windows requirement, Kudu can help check whether your system is properly configured and flag issues that affect Windows 11 readiness and security. It also helps identify related system health problems so you can fix them faster without hunting through multiple built-in tools.

Download Kudu Free →