How to Enable Secure Boot and TPM 2.0 on Your PC
If you've tried installing Windows 11 or run a PC health check that flagged your system, you've likely run into two terms: Secure Boot and TPM 2.0. Both are security features built into modern hardware, and both are required for Windows 11. But enabling them isn't always a simple toggle — where you find them, whether they're already on, and what happens when you flip the switch depends heavily on your specific machine.
What Secure Boot and TPM 2.0 Actually Do
Secure Boot is a firmware security standard that prevents your PC from loading unauthorized software during startup. When enabled, your system checks that the bootloader and operating system are signed with trusted cryptographic keys before allowing them to run. This blocks many types of rootkits and bootkits — malware that tries to embed itself before Windows even loads.
TPM 2.0 (Trusted Platform Module) is either a dedicated chip or a firmware-based feature built into your CPU that handles cryptographic operations. It stores encryption keys, certificates, and authentication data in a protected environment isolated from the main operating system. Features like BitLocker drive encryption, Windows Hello, and measured boot all rely on TPM to function securely.
Together, they create a hardware-backed security foundation rather than relying purely on software-level protections.
Where These Settings Live
Both features are controlled through your system's UEFI firmware settings — what most people still call the BIOS. You access this by restarting your PC and pressing a specific key during startup. The key varies by manufacturer:
| Manufacturer | Common UEFI Access Key |
|---|---|
| Dell | F2 or F12 |
| HP | F10 or Esc |
| Lenovo | F1, F2, or Enter → F1 |
| ASUS | F2 or Delete |
| MSI | Delete |
| Gigabyte | Delete or F2 |
| Acer | F2 or Delete |
Once inside UEFI, the layout varies significantly between manufacturers. Secure Boot is typically found under a Security, Boot, or Authentication tab. TPM settings may appear under Security, Advanced, or sometimes labeled as Intel PTT (Platform Trust Technology) or AMD fTPM depending on your processor.
How to Enable Secure Boot 🔒
- Enter your UEFI settings using the appropriate key at startup
- Navigate to the Boot or Security section
- Locate Secure Boot and set it to Enabled
- If prompted, look for a Boot Mode setting — Secure Boot requires UEFI mode, not Legacy/CSM mode
Important: If your system is currently running in Legacy/CSM boot mode, switching to UEFI mode can prevent Windows from booting if your drive uses an MBR partition scheme instead of GPT. This is a critical distinction. You can check your disk's partition style in Windows by opening Disk Management — right-click your primary drive and look at its properties under the Volumes tab.
Converting from MBR to GPT without data loss is possible using Microsoft's MBR2GPT tool, but it's a step with real risk if done incorrectly.
How to Enable TPM 2.0
TPM enablement depends on your hardware generation:
Discrete TPM chip — Some desktops and older systems have a physical TPM chip on the motherboard. These appear in UEFI as TPM Device or Security Chip and can be toggled on or off.
Firmware TPM (fTPM/PTT) — Most modern systems use a firmware-based TPM built into the CPU or chipset. On AMD systems this is called fTPM; on Intel systems it's called PTT (Platform Trust Technology). Both provide TPM 2.0 functionality without dedicated hardware.
To verify TPM status in Windows without entering UEFI: press Windows + R, type tpm.msc, and press Enter. The TPM Management console will show whether a TPM is present and which specification version it reports.
Variables That Affect the Process ⚙️
Not every setup follows the same path. Several factors change the experience meaningfully:
Age of the hardware — Systems from before 2017 may have TPM 1.2 rather than TPM 2.0, or no TPM at all. TPM 1.2 is not sufficient for Windows 11's requirements.
Motherboard manufacturer and UEFI version — Some older UEFI implementations don't expose Secure Boot controls clearly, or label settings in non-obvious ways. Firmware updates from the manufacturer sometimes add or improve these settings.
Current boot mode — If you're on Legacy/CSM mode, enabling Secure Boot requires changing your boot configuration, which has downstream effects on how your OS drives are structured.
Operating system — Linux distributions handle Secure Boot differently. Most major distros (Ubuntu, Fedora) support Secure Boot through signed bootloaders, but some configurations — particularly custom kernels or unsigned drivers — may require Secure Boot to remain disabled.
Dual-boot setups — Running Windows alongside another OS introduces additional complexity. Both systems need to be compatible with Secure Boot for it to work cleanly across both.
Virtualization software — Some hypervisors and virtual machine platforms interact with TPM in specific ways, and enabling or changing TPM settings can affect virtual machine configurations already in use.
What Happens After You Enable Them
In most cases on a modern system with Windows already installed in UEFI mode, enabling Secure Boot and TPM 2.0 causes no visible disruption. Windows continues to boot normally and the TPM becomes available to features like BitLocker.
If BitLocker was already active before you made firmware changes, you may be prompted for your BitLocker recovery key on next boot — because firmware changes alter the measurements TPM uses to verify system integrity. Having that key stored safely before making any UEFI changes is essential.
The specific outcome for any given machine depends on which of these variables apply to your setup — and that combination is different for nearly every system.