How To Enable TPM and Secure Boot in BIOS for Windows 11

by

When upgrading to Windows 11, the first thing that you need to do is validate and allow TPM 2.0 & also Secure Boot in your computer’s motherboard’s BIOS (UEFI). It is essential to have TPM 2.0 & Secure Boot to establish a more appropriate security environment and to avoid typical threats such as malware and ransomware. Setting up TPM and Secure Boot are very straightforward operations, but you must understand what to look for. Before making any changes, keep your motherboard maker’s owner’s handbook accessible to refer to both the navigation and the words and vocabulary as they range from different systems. 

Keeping your computer safe from all threats is very important when you use your computer to store personal everyday data. When activated and completely configured, Secure Boot and TPM assist a computer in resisting malware assaults and infection. By authenticating the digital signatures of boot loaders, crucial operating file systems, and illegitimate option ROMs, Secure Boot identifies manipulation. They stop detections so that they cannot assault or damage the system.

enable tpm and secure boot

TPM

So TPM stands for Trusted Platform Module. TPM was not well known prior to the announcement of Windows 11. It’s an extra layer of security that prevents possible malware from accessing any passwords, encryption keys, or other highly sensitive user data saved on your machine. There is no method of accessing your software alone without a USB key or activation code.

The TPM technology comes in three forms: 

  1. Physical chip which you can place on a particular motherboard header.
  2. Modules are soldered to the motherboard.
  3. A firmware-based system that you can activate inside the BIOS without modifying any hardware.

fTPM and PTT

Many Intel and AMD CPUs include “soft” TPM mechanisms called fTPM or PTT. There is a distinction between the two. PTT refers to Intel’s built-in TPM technology, whereas fTPM refers to AMD’s. Your motherboard may include both a TPM chip header and a fTPM/PTT functionality. This implies that you may run either the “hardware” or “software” versions of the program and receive the same results. This is critical to remember while enabling your TPM.

How can I know whether I have a TPM chip?

It is simple to check to discover if you possess a TPM chip. Instead of going to your desktop, search for the TPM Windows service and check the connectivity in Device Manager. Most pre-built PCs sold in the previous five years had TPM installed and enabled. It’s possible that it’s not available if your PC is outdated or a custom-built machine. You cannot install Windows 11 unless the TPM is engaged.

  • Press the Windows icon, now type and press “tpm.msc.”
  • If you have TPM enabled, you will notice “The TPM is ready for usage” in the window’s Status area, and no further action is necessary.
  • To drag up the Quick Link panel, hold down the Windows key and click X on your keyboard, then pick Device Manager.
  • Scroll to the bottom and broaden Security Devices to ensure that the TPM is present and operational.

Secure Boot

Secure Boot is in the UEFI software. The device can only launch authorized (secured) software/firmware elements digitally certified by the motherboard’s manufacturer, and if you deactivate Secure Boot, your machine will not boot if an unauthorized firmware component is enabled.

Activate TPM 2.0 version  Windows 11 BIOS

Follow these procedures to activate the TPM 2.0 version of the BIOS:

  • Open “Settings” and press “Update and Security”.
  • Press “Recovery”.
  • Choose the “Restart now” option from the column, “Advanced startup”.
  • Press ”Troubleshoot”.
  • Go to “Advanced Options”.
  • Select the “UEFI Firmware Settings” 
  • Press “Restart”.
  • Depending on the motherboard, navigate to “advanced settings, security settings, or boot settings” 
  • Select “TPM 2.0” and then “Enabled”.
  • Enable TPM 2.0 on UEFI.

If your motherboard lacks any TPM chip & you’re using an AMD CPU, the TPM module is added to the processor, and thus the choice is labeled “fTPM” (TPM 2.0 version based on firmware) or “AMD fTPM switch.” TPM 2.0 is offered under Platform Trust Technology if your computer is an Intel-based system (PTT).

If somehow the device does not include a TPM capability and is a special build, you could capable of join the functionality via a module. However, you should check the manufacturer’s website to ensure that assistance is available. Following completion of the processes, the version, Windows 11 verification will enable you to update the PC to the novel operating system.

Activate Secure Boot – Windows 11 BIOS

Follow these procedures to activate Secure Boot- Windows 11 BIOS:

  • Open “Settings” and press “Update and Security”.
  • Press “Recovery”.
  • Choose the “Restart now” option from the column, “Advanced startup”.
  • Press ”Troubleshoot”.
  • Go to “Advanced Options”.
  • Select the “UEFI Firmware Settings” 
  • Press “Restart”. 
  • Depending on the motherboard, navigate to “advanced settings, security settings, or boot settings” 
  • Select “TPM 2.0” and then “Enabled”.
  • Enable Secure Boot on UEFI.

Almost all UEFI-enabled systems feature Secure Boot, however, if that doesn’t seem to be the case, you will have to upgrade your system or think of purchasing a new device that fulfills the version, Windows 11 specifications. After you finish the procedures, the computer has to complete verification for the hardware and be ready to begin the upgrade or full installation of the version, Windows 11.

More about TPM

Due to the design of hardware-based encryption, the information saved in hardware is more secure against external software assaults. A wide range of applications for holding secret information on a TPM may be designed. These programs make it far more difficult to get unauthorized access to information on computer systems. Restriction of access to information and secrets, locked off using these apps if the platform’s configuration has changed because of unwanted actions. It is crucial to note, however, that TPM cannot manage the software which is operating on a PC. 

TPM can save pre-run time configuration settings, but it is up to other programs to identify and enforce rules based on this data. TPMs can improve the security of processes that require secret protection, such as a digital signature. When implementing a TPM, mission-critical applications that require stronger security, such as encrypted communications or secure records management, can provide a higher level of protection.

More about Secure Boot

Secure boot prevents root kits from getting placed in the memory at boot time using technologies such as option ROM and MBRs, stealing system control, and remaining concealed from anti-malware tools. Over time, this issue has expanded to play a substantial part in data damage and theft. Malware can infiltrate the BIOS / OS loader.UEFI is the hardware compatibility interface standard for current server platforms, with a rich set of UI, flexibility, and standard interfaces enabling IHVs to implement debugging tools in UEFI that function flawlessly in a more flexible pre-boot environment than a classic bios environment. 

The UEFI standards body, led by Microsoft, developed a method to prevent boot time malicious rootkits from becoming installed by loading and processing binaries which unmodified and recognized to the platform. This process is known as Safe Booting – please check Microsoft’s approach to Secure Boot for further details on Microsoft, and various OS manufacturers have included alternative ways to create secure boot in comparable ways. Secured UEFI systems load those software binaries that have not changed and are trusted by the platform, such as optional ROM drivers, boot loaders, and OS loaders.

Leave a Comment