Prepare your devices for Windows 11 by enabling Secure Boot and Firmware TPM

If you ran the PC Health Check app from Microsoft and got an error stating that your somewhat new device can’t run Windows 11, it’s likely due to your motherboard not having the firmware TPM enabled. This is especially the case for custom built gaming PCs, where it’s often not enabled by default.

Error from the PC Health Check app

Since announcing Windows 11 requires TPM 2.0, a few articles have been written about how scalpers are selling TPM chips for significantly over MSRP. Thankfully, recently AMD and Intel chips support a firmware based TPM that can be enabled in the motherboard settings. The setting is called AMD fTPM or Intel PPT.

To enable the TPM, boot your computer into the BIOS/motherboard settings (likely by turning on while mashing the Delete key). Since we’re in the motherboard settings, I can’t capture screenshots, so be warned that the following images have lots of glare – sorry! On my AORUS motherboard, I’ll find fTPM under the Settings page:

fTPM setting

And to turn it on, it’s as easy as pressing Enter and selecting Enabled:

Enable fTPM

We know that Windows 11 also requires Secure Boot to be enabled. So while we’re in the BIOS settings, we might as well do that too.

Your settings may vary, but I had to go to the Boot page. Here, first we need to disable CSM Support:

Disable CSM Support

CSM Support is used for booting from legacy devices, which is the exact opposite goal of Secure Boot.

Quick aside – if you were booting from BIOS instead of UEFI, you were actively using this CSM Support setting. Meaning if you disable the CSM Support setting you won’t be able to boot into your OS. If that’s the case, Microsoft has a command line tool called MBR2GPT, which you can run to convert your disk from BIOS to UEFI. After running that tool, just be sure to go back into your motherboard settings to Boot from the disk you just converted. If you have no idea whether you’re booting from BIOS or UEFI, open the System Information app and check the BIOS Mode setting:

System Information

Once you disable CSM Support, you’ll notice a Secure Boot setting has appeared:

Secure Boot settings

When you click into that Setting, you’ll be given the option to enable Secure Boot:

Secure Boot settings

But before we can just hit enable, first we need to configure the Secure Boot mode. Select the Secure Boot Mode setting and select Standard:

Secure Boot Mode standard

Custom would allow us to set the keys used for attestation for Secure Boot. But for our purposes, Standard solves the problem. The final step before enabling Secure Boot is actually saving all our settings and restarting, because we need to boot the machine with CSM disabled before we can enable Secure Boot.

Save all settings and Restart

After restarting, head back to the Secure Boot settings and set it to Enabled:

Configure Secure Boot to Enabled

Save your settings one last time:

Save and restart

And now you’re good to go! We can double check by running the PC Health Check app again:

Ready for Windows 11

Now we’re ready for Windows 11. There will be many Windows 11 blog posts on Device Advice in the future, so as always, if there’s something you’re interested in let us know by commenting below. Happy updating! 🚀

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *